Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppArmor fails to load with kernel 5.1.0 #61145

Closed
attente opened this issue May 8, 2019 · 9 comments
Closed

AppArmor fails to load with kernel 5.1.0 #61145

attente opened this issue May 8, 2019 · 9 comments
Assignees
@joachifm
Labels
0.kind: regression Something that worked before working no longer

Comments

@attente
Copy link

attente commented May 8, 2019

Issue description

Upgrading to kernel 5.1.0 from pkgs.linuxPackages_latest breaks apparmor, preventing it from loading. Furthermore, this also breaks nixos-rebuild switch, requiring a kernel downgrade to pkgs.linuxPackages_5_0 (kernel 5.0.13) to fix this.

The error is:

[sudo] password for william: 
unpacking channels...
building Nix...
building the system configuration...
activating the configuration...
setting up /etc...
reloading user units for william...
setting up tmpfiles
the following new units were started: cpu-throttling.service
warning: the following units failed: apparmor.service

● apparmor.service
   Loaded: loaded (/nix/store/csxmp1iy3f5ijy8m0ajx6ch5n8milljc-unit-apparmor.service/apparmor.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-05-08 10:29:31 EDT; 17ms ago
  Process: 2996 ExecStart=/nix/store/5v3ysffjypsndwxkh16byzaa3g55lz4g-apparmor-parser-2.13.1/bin/apparmor_parser -rKv -I /nix/store/gj3zvpgbsnx85nbbrpb5s2kjz4y85w80-apparmor-profiles-2.13.1/etc/apparmor.d -I /nix/store/pmgymay0liaz5xy65z9n029v2qn6k79v-lxc-3.1.0/etc/apparmor.d /nix/store/pmgymay0liaz5xy65z9n029v2qn6k79v-lxc-3.1.0/etc/apparmor.d/usr.bin.lxc-start (code=exited, status=1/FAILURE)
 Main PID: 2996 (code=exited, status=1/FAILURE)

May 08 10:29:31 helium systemd[1]: Starting apparmor.service...
May 08 10:29:31 helium apparmor_parser[2996]: Warning from stdin (line 1): config file '/etc/apparmor/parser.conf' not found
May 08 10:29:31 helium apparmor_parser[2996]: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
May 08 10:29:31 helium apparmor_parser[2996]: Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
May 08 10:29:31 helium apparmor_parser[2996]: Use --subdomainfs to override.
May 08 10:29:31 helium systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
May 08 10:29:31 helium systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 08 10:29:31 helium systemd[1]: Failed to start apparmor.service.
warning: error(s) occurred while switching to the new configuration

I believe the main issue is from this line here: apparmor_parser[2996]: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)

Steps to reproduce

boot.kernelPackages = pkgs.linuxPackages_latest; and security.apparmor.enable = true; should be sufficient to reproduce the problem, although apparmor was already implicitly enabled on my system. I believe it's because of lxd.

Technical details

➜  ~ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.1.0, NixOS, 19.09pre178846.7defc47944f (Loris)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.2.2`
 - channels(root): `"nixos-19.09pre178846.7defc47944f, nixos-hardware"`
 - channels(william): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
@attente attente changed the title Apparmor fails to load with kernel 5.1.0 AppArmor fails to load with kernel 5.1.0 May 8, 2019
@attente
Copy link
Author

attente commented May 10, 2019

It can alternatively be reproduced with boot.kernelPackages = pkgs.linuxPackages_latest; and virtualisation.lxd.enable = true;. I've removed the second part as a workaround.

@DIzFer
Copy link
Contributor

DIzFer commented May 10, 2019

I can reproduce the apparmor issue (on unstable-small 19.09pre179342.0fe5e0279fe), but I can keep rebuilding once apparmor.service fails. Not sure if I'm understanding that part right though...

@joachifm joachifm self-assigned this May 11, 2019
@joachifm joachifm added the 0.kind: regression Something that worked before working no longer label May 11, 2019
@joachifm
Copy link
Contributor

joachifm commented May 11, 2019
edited
Loading

Off the top of my head I'd guess that this is related to securityfs not being mounted; is it? (should be at /sys/kernel/security). I recently tweaked the ordering of the apparmor unit, so this could be fallout from that (EDIT: probably not).

@joachifm
Copy link
Contributor

joachifm commented May 11, 2019
edited
Loading

Hm, from my testing it seems that the selinux lsm is selected by the kernel at boot instead of apparmor for whatever reason under 5.1. I do note that linux_latest.configfile no longer explicitly sets the default security= boot parameter to "apparmor".

Can you check dmesg output? When apparmor is selected, you should see something like
"AppArmor: AppArmor Filesystem Enabled"; if that is missing, look for mentions of selinux.

Explicitly setting boot.kernelParams = [ "security=apparmor" ]; fixes the issue on my end; I'll push a patch to that effect.

joachifm added a commit to joachifm/nixpkgs that referenced this issue May 11, 2019
@joachifm
nixos/apparmor: ensure that apparmor is selected at boot
68f5d1f 
Otherwise we're subject to whatever defaults were selected at kernel build
time.

See also: NixOS#61145
@joachifm joachifm mentioned this issue May 11, 2019
Merged
@joachifm
Copy link
Contributor

I believe this has been fixed. Please reopen if the problem persists.

joachifm added a commit that referenced this issue May 17, 2019
@joachifm
nixos/apparmor: ensure that apparmor is selected at boot
b905309 
Otherwise we're subject to whatever defaults were selected at kernel build
time.

See also: #61145

(cherry picked from commit 68f5d1f)
tadeokondrak pushed a commit to tadeokondrak/nixpkgs that referenced this issue May 17, 2019
@joachifm @tadeokondrak
nixos/apparmor: ensure that apparmor is selected at boot
cb21322 
Otherwise we're subject to whatever defaults were selected at kernel build
time.

See also: NixOS#61145
@aaronjanse
Copy link
Member

This is a problem again. Would somebody please re-open this issue?

@aaronjanse
Copy link
Member

Hmmm, this seems to be fixed by a reboot. Is there some way to say "reboot required" from nixos-rebuild switch?

@mlvzk
Copy link
Member

mlvzk commented May 23, 2020

Hmmm, this seems to be fixed by a reboot. Is there some way to say "reboot required" from nixos-rebuild switch?

I just had the same issue and reboot indeed fixed it, thanks a lot

@ReliefCrew
Copy link

ReliefCrew commented Aug 19, 2020
edited
Loading

Hmmm, this seems to be fixed by a reboot. Is there some way to say "reboot required" from nixos-rebuild switch?

Just reproduced this by adding virtualisation.lxd.enable = true; to /etc/nixos/configuration.nix.

Making a reboot unnecessary would be even better :-) Either way the problem still exists and significantly impacts usability... any plans on addressing it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachifm joachifm

Labels
0.kind: regression Something that worked before working no longer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@attente @joachifm @DIzFer @aaronjanse @ReliefCrew @mlvzk