[pkg-apparmor] Bug#921866: apparmor: AppArmor does not load all valid profiles if broken profile symlink exists

Vincas Dargis vindrg at gmail.com
Sat Feb 9 15:54:18 GMT 2019 

Package: apparmor
Version: 2.13.2-7
Severity: normal
Tags: upstream

Dear Maintainer,

AppArmor does not load all (just some) profiles if `/etc/apparmor.d/`
contains broken symlink to previously existing local profile.

Steps to reproduce:

sudo ln -s /foo/bar/nonexistent /etc/apparmor.d/usr.bin.foo
sudo aa-teardown # or reboot, systemctl restart is not enough
sudo systemctl restart apparmor
sudo aa-status

This is `aa-status` after creating broken symlink:
```
$ sudo aa-status
apparmor module is loaded.
4 profiles are loaded.
2 profiles are in enforce mode.
   /usr/bin/freshclam
   libreoffice-xpdfimport
2 profiles are in complain mode.
   mdnsd
   smbd
1 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/bin/freshclam (558)
```

And this is how it looks without broken symlink:

```
apparmor module is loaded.
53 profiles are loaded.
37 profiles are in enforce mode.
   /usr/bin/freshclam
   /usr/bin/man
   /usr/bin/pidgin
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/bin/totem//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/local/bin/netest.sh
   /usr/sbin/apt-cacher-ng
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ejabberdctl
   /usr/sbin/ejabberdctl//su
   /usr/sbin/haveged
   /usr/sbin/mysqld-akonadi
   /usr/sbin/mysqld-akonadi///usr/sbin/mysqld
   /usr/sbin/sshd
   /usr/sbin/sshd//passwd
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   dhclient
   libreoffice-oopslash
   libreoffice-senddoc
   libreoffice-soffice
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   man_filter
   man_groff
   thunderbird
   thunderbird//browser_java
   thunderbird//browser_openjdk
   thunderbird//gpg
   thunderbird//sanitized_helper
16 profiles are in complain mode.
   /usr/bin/irssi
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   identd
   klogd
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
5 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
5 processes are unconfined but have a profile defined.
   /usr/bin/freshclam (558) 
   /usr/sbin/cups-browsed (608) 
   /usr/sbin/cupsd (566) 
   /usr/sbin/haveged (508) 
   /usr/sbin/sshd (736) 

```

Journal does not produce any notice about failure (while restarting):

```
$ sudo journalctl -n0 -f -u apparmor
-- Logs begin at Sat 2019-02-09 17:25:42 EET. --
Feb 09 17:50:59 debian-sid systemd[1]: Stopping Load AppArmor
profiles...
Feb 09 17:50:59 debian-sid systemd[1]: apparmor.service: Succeeded.
Feb 09 17:50:59 debian-sid systemd[1]: Stopped Load AppArmor profiles.
Feb 09 17:50:59 debian-sid systemd[1]: Starting Load AppArmor
profiles...
Feb 09 17:50:59 debian-sid apparmor.systemd[6842]: Restarting AppArmor
Feb 09 17:50:59 debian-sid apparmor.systemd[6842]: Reloading AppArmor
profiles
Feb 09 17:50:59 debian-sid systemd[1]: Started Load AppArmor profiles.
```

`apparmor_parser` returns 0:

```
$ sudo /sbin/apparmor_parser --write-cache --verbose --replace --
/etc/apparmor.d && echo $?
Cached reload succeeded for
"/var/cache/apparmor/ea9ed67a.0/usr.lib.libreoffice.program.xpdfimport".
Cached reload succeeded for
"/var/cache/apparmor/ea9ed67a.0/usr.sbin.mdnsd".
Cached reload succeeded for
"/var/cache/apparmor/ea9ed67a.0/usr.bin.freshclam".
Cached reload succeeded for
"/var/cache/apparmor/ea9ed67a.0/usr.sbin.smbd".
0
```

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.70
ii  libc6                  2.28-6
ii  lsb-base               10.2018112800
ii  python3                3.7.2-1

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-profiles-extra  1.25
ii  apparmor-utils           2.13.2-7

-- no debconf information

More information about the pkg-apparmor-team mailing list