Comments (15)
roddhjav
commented on May 22, 2024
1
Sorry about this, I will add a troubleshooting section to help people in this situation.
Usually, when a system break happen, this is because of one of the really core software off your system such as a systemd tool, xorg, wayland, gdm...
To recover your system your should:
- Boot on a live USB
- If encrypted, decrypt your root drive:
cryptsetup open /dev/<your-disk-id> vg0 - Mount your root partition:
mount /dev/<your-plain-disk-id> /mnt - Chroot into your system:
arch-chroot /mnt - Print the AppArmor log:
aa-log - Temporary fix the issue:
- Manually remove the faultly profile:
rm /etc/apparmor.d/<profile-name> - Or remove the full package:
pacman -R apparmor.d
- Manually remove the faultly profile:
- Exit and reboot:
exit,umount -R /mnt,reboot
Then you can report here the apparmor log.
from apparmor.d.
roddhjav
commented on May 22, 2024
1
Thank for these reports. At first look these are minor issues. I will update the rules. Can you also provide the ALLOWED log?
I develop this project on Arch, so it should actually works fine. However, more than the Linux distribution, the software you use matter a lot. So this can of bug are expected at early stage. I also develop a test system that should be able to catch most of the wrongly configured profiles, but it cannot be 100% bullet proof.
@marsianer @BigmenPixel0 When testing, and maybe on first install too, I would recommend you to pass all profiles in complain mode. To do this simply add the --complain option to the configure script in the PKGBUILD.
from apparmor.d.
BigmenPixel0
commented on May 22, 2024
1
Thank for these reports. At first look these are minor issues. I will update the rules. Can you also provide the
ALLOWEDlog?I develop this project on Arch, so it should actually works fine. However, more than the Linux distribution, the software you use matter a lot. So this can of bug are expected at early stage. I also develop a test system that should be able to catch most of the wrongly configured profiles, but it cannot be 100% bullet proof.
@marsianer @BigmenPixel0 When testing, and maybe on first install too, I would recommend you to pass all profiles in
complainmode. To do this simply add the--complainoption to theconfigurescript in thePKGBUILD.
from apparmor.d.
BigmenPixel0
commented on May 22, 2024
1
Thank for the log, I see you use software I do not (plymouth). This is the cause of the issue.
Also, please can you build the package in complain mode as show here: https://github.com/roddhjav/apparmor.d#troubleshooting. Otherwise the software fail on the first access and we cannot observe in the log what it was supposed to do.
from apparmor.d.
roddhjav
commented on May 22, 2024
You are right, this project requires to overwrite these two files. The correct install way should then be:
makepkg -s
sudo pacman -U apparmor.d-*.pkg.tar.zst \
--overwrite etc/apparmor.d/tunables/global \
--overwrite etc/apparmor.d/tunables/xdg-user-dirsI will update the README to reflect this.
Please report any issue with the installations or with AppArmor log raised, depending of what software you are using, you might see a few of them.
from apparmor.d.
BigmenPixel0
commented on May 22, 2024
Installed the package and lost the system. (did not start, turned off apparmor and bugs appeared in the system)
Reinstalled, I'm afraid to install apparmor.d again. :)
from apparmor.d.
marsianer
commented on May 22, 2024
I can confirm this behavior.
It currently does not work on ArchLinux.
from apparmor.d.
BigmenPixel0
commented on May 22, 2024
I tried doing it in a virtual machine. Everything works here, but with minor problems (systemd zram-generator does not work, for example).
$ sudo aa-log | grep DENIED
DENIED zram-generator open /etc/systemd/zram-generator.conf comm=zram-generator requested_mask=r denied_mask=r
DENIED systemd-hostnamed open /etc/machine-info comm=systemd-hostnam requested_mask=r denied_mask=r
DENIED child-systemctl symlink /etc/systemd/user/sockets.target.wants/gcr-ssh-agent.socket comm=systemctl requested_mask=c denied_mask=c
DENIED child-systemctl symlink /etc/systemd/user/sockets.target.wants/pulseaudio.socket comm=systemctl requested_mask=c denied_mask=c
DENIED child-systemctl symlink /etc/systemd/user/sockets.target.wants/pipewire.socket comm=systemctl requested_mask=c denied_mask=c
DENIED child-systemctl symlink /etc/systemd/user/pipewire-session-manager.service comm=systemctl requested_mask=c denied_mask=c
DENIED child-systemctl mkdir /etc/systemd/user/pipewire.service.wants/ comm=systemctl requested_mask=c denied_mask=c
DENIED gsd-housekeeping mkdir /home/user/.local/share/applications/ comm=gsd-housekeepin requested_mask=c denied_mask=c
DENIED gnome-session-binary exec /usr/bin/grep comm=gnome-shell-ove requested_mask=x denied_mask=x
DENIED gnome-session-binary open /usr/bin/grep comm=gnome-shell-ove requested_mask=r denied_mask=r
DENIED gnome-session-binary exec /usr/bin/mkdir comm=gnome-shell-ove requested_mask=x denied_mask=x
DENIED gnome-session-binary open /usr/bin/mkdir comm=gnome-shell-ove requested_mask=r denied_mask=r
DENIED gnome-session-binary exec /usr/bin/gsettings comm=gnome-shell-ove requested_mask=x denied_mask=x
DENIED gsd-sound mkdir /home/user/.local/share/sounds/ comm=gsd-sound requested_mask=c denied_mask=c
DENIED gnome-session-binary open /usr/bin/gsettings comm=gnome-shell-ove requested_mask=r denied_mask=r
DENIED gnome-session-binary exec /usr/bin/touch comm=gnome-shell-ove requested_mask=x denied_mask=x
DENIED gnome-session-binary open /usr/bin/touch comm=gnome-shell-ove requested_mask=r denied_mask=r
DENIED gsd-keyboard mkdir /home/user/.local/share/gnome-settings-daemon/ comm=gsd-keyboard requested_mask=c denied_mask=c
DENIED wireplumber mkdir /home/user/.local/state/ comm=wireplumber requested_mask=c denied_mask=c
DENIED child-systemctl open /etc/systemd/user/ comm=systemctl requested_mask=r denied_mask=r
DENIED child-systemctl symlink /etc/systemd/user/sockets.target.wants/pipewire-pulse.socket comm=systemctl requested_mask=c denied_mask=c
DENIED mkfs-btrfs open /run/blkid/blkid.tab comm=mkfs.btrfs requested_mask=r denied_mask=r
DENIED mkfs-btrfs open /sys/devices/platform/floppy.0/block/fd0/dev comm=mkfs.btrfs requested_mask=r denied_mask=r
DENIED mkfs-btrfs mknod /run/blkid/blkid.tab-VZL4uD comm=mkfs.btrfs requested_mask=c denied_mask=c
DENIED mkfs-btrfs open /run/blkid/blkid.tab comm=mkfs.btrfs requested_mask=wc denied_mask=wc
DENIED mkfs-btrfs mknod /run/blkid/blkid.tab-sQmouC comm=mkfs.btrfs requested_mask=c denied_mask=c
DENIED gnome-session-binary mkdir /home/user/.config/gnome-session/ comm=gnome-session-b requested_mask=c denied_mask=c
DENIED dbus-daemon signal comm=dbus-run-sessio requested_mask=receive denied_mask=receive signal=term peer=dbus-run-session
DENIED gnome-session-binary open /var/lib/gdm/.cache/mesa_shader_cache/index comm=gnome-session-c requested_mask=wrc denied_mask=wrc
DENIED gnome-session-binary open /usr/share/glvnd/egl_vendor.d/ comm=gnome-session-c requested_mask=r denied_mask=r
DENIED gdm-session-worker signal comm=gdm-session-wor requested_mask=send denied_mask=send signal=term peer=gdm-x-session
DENIED gjs-console open /etc/nsswitch.conf comm=gjs requested_mask=r denied_mask=r
DENIED gjs-console open /etc/passwd comm=gjs requested_mask=r denied_mask=r
DENIED gsd-xsettings open /usr/share/gdm/greeter-dconf-defaults comm=gsd-xsettings requested_mask=r denied_mask=r
DENIED gsd-xsettings open /usr/share/gdm/greeter-dconf-defaults comm=64636F6E6620776F726B6572 requested_mask=r denied_mask=r
DENIED gdm open /proc/6393/cmdline comm=gdm requested_mask=r denied_mask=r
DENIED dbus-daemon signal comm=dbus-daemon requested_mask=send denied_mask=send signal=kill peer=dconf-service
DENIED dconf-service signal comm=dbus-daemon requested_mask=receive denied_mask=receive signal=kill peer=dbus-daemon
DENIED accounts-daemon open /etc/machine-id comm=accounts-daemon requested_mask=r denied_mask=r
DENIED gdm-session-worker open /etc/machine-id comm=gdm-session-wor requested_mask=r denied_mask=r
DENIED fsck exec /usr/bin/fsck.btrfs info="no new privs" comm=fsck requested_mask=x denied_mask=x error=-1
DENIED mkfs-btrfs mknod /run/blkid/blkid.tab-ooPlDL comm=mkfs.btrfs requested_mask=c denied_mask=c
DENIED mkfs-btrfs mknod /run/blkid/blkid.tab-sGo0Ex comm=mkfs.btrfs requested_mask=c denied_mask=c
DENIED dbus-daemon open /etc/machine-id comm=dbus-daemon requested_mask=r denied_mask=r
from apparmor.d.
marsianer
commented on May 22, 2024
@roddhjav
Is it possible to change the rules, so that no override is required.
Simplifies uninstallation.
I'll try to help troubleshoot when I get a chance.
Notice:
My system is fully encrypted (LUKS)
from apparmor.d.
roddhjav
commented on May 22, 2024
The software you use matter a lot.
@BigmenPixel0 For example, I see in the log that you use gnome with xorg. I focused my work on Wayland as it is more modern, expect issue with xorg.
from apparmor.d.
roddhjav
commented on May 22, 2024
@marsianer I tried to keep the override minimal, It might not be needed in the future, but as of today there is no alternative. Also you only need it on the first install.
from apparmor.d.
roddhjav
commented on May 22, 2024
I integrated the aa messages in the project, they should be less issues now.
from apparmor.d.
BigmenPixel0
commented on May 22, 2024
@roddhjav
I tried installing apparmor.d on a working system. GDM did not start (probably something else). Here is the log:
log.txt
from apparmor.d.
roddhjav
commented on May 22, 2024
Thank for the log, I see you use software I do not (plymouth). This is the cause of some issue.
Also, please can you build the package in complain mode as show here: https://github.com/roddhjav/apparmor.d#troubleshooting. Otherwise the software fail on the first access and we cannot observe in the log what it was supposed to do.
from apparmor.d.
roddhjav
commented on May 22, 2024
I integrated your log file. Thank a lot. It is actually really valuable to integrate log from other system.
Software like plymouth should not cause issue anymore, they are simply unconfined. If you wish to add a profile for them, PR are welcome.
However, software that use flatpack (eg Tangram) are not integrated. I will try to add full integration for flatpack in the future but that is a bit of work. It is not an issue from a security point of view as these kind of software should be let unconfined as they are sandboxed.
from apparmor.d.
Related Issues (20)
- aa-log -s yields "read .: is a directory" HOT 2
- Fish shell support HOT 4
- Issue when trying to install mariadb-client & mariadb-server on Deb12 HOT 1
- Adjust profiles when building for Kicksecure/Whonix to accomodate hardened malloc usage HOT 4
- Defining a threat model HOT 8
- Catch for borg backup using S3 backup storage HOT 2
- Firefox does not print to file HOT 6
- Apparmor option to specify $PWD in profile rules HOT 4
- Flatpak / bubblewrap no longer working HOT 5
- aalog -r and -R do not honor the owner qualifier HOT 2
- EndeavourOS does not boot after installing apparmor.d-git HOT 5
- Firefox profile capabilities HOT 3
- Question: No New Privs HOT 1
- Flatpak aa-log HOT 2
- build process should not require a network connection HOT 2
- build security of dependencies? HOT 2
- Found reference to variable gdm_local_dirs, but is never declared (gnome-keyring-daemon) HOT 1
- aa-log reports from EndeavourOS (Arch, KDE) HOT 2
- Mutt child-pager HOT 1
- Visual Studio Code C# intellisense/debugger does not work with AppArmor enabled HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apparmor.d.