Apparmor somewhat broken at the moment?

Trying to enforce steam apparmor but got the following error:

sudo aa-enforce /usr/bin/steam
ERROR: Can't parse mount rule mount             ""      -> "/",

Then I found the bug report here.

I tried some other apparmor commands on other profiles and received the same error about mounting.

It is different error and different problem.

Your message is pretty obvious - there is empty word "" in this rule and it is not valid. To claim that “apparmor is broken” you need to demonstrate that this rule is included a (unmodified) file that is part of apparmor package(s). So start with telling us which file has this rule.

Tried the following commands:
sudo aa-enforce firefox, sudo aa-enforce firefox, sudo genprof thunderbird.
All above commands return the same error:

ERROR: Can't parse mount rule mount "" -> "/",

Here’s the content of the steam profile at /etc/apparmor.d/steam:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/steam>
}

As a first time apparmor user, I haven’t created any profile by myself yet. I think they are all from OSS’ packages under /etc/apparmor.d/.

How does it answer my question? Find file which contains this incorrect line. I cannot do it for you, I do not have any file with mount rule.

You could try

apparmor_parser -p /etc/apparmor.d/steam

or

grep -r 'mount.*->' /etc/apparmor.d
sudo apparmor_parser /etc/apparmor.d/steam
Error: Could not load profile /var/cache/apparmor/ac27e0ee.0/steam: File exists
apparmor_parser: Unable to add "steam".  Profile already exists
grep -r 'mount.*->' /etc/apparmor.d
/etc/apparmor.d/abstractions/libvirt-lxc:  deny mount options=(ro, remount) -> /,
/etc/apparmor.d/abstractions/libvirt-lxc:  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
/etc/apparmor.d/abstractions/libvirt-lxc:  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
/etc/apparmor.d/abstractions/libvirt-lxc:  mount fstype=fusectl -> /sys/fs/fuse/connections/,
/etc/apparmor.d/abstractions/libvirt-lxc:  mount fstype=securityfs -> /sys/kernel/security/,
/etc/apparmor.d/abstractions/libvirt-lxc:  mount fstype=debugfs -> /sys/kernel/debug/,
/etc/apparmor.d/abstractions/libvirt-lxc:  mount fstype=proc -> /proc/,
/etc/apparmor.d/abstractions/libvirt-lxc:  mount fstype=sysfs -> /sys/,
/etc/apparmor.d/abstractions/passt:  mount options=(rw, runbindable) -> /,
/etc/apparmor.d/abstractions/passt:  mount              ""      -> "/",
/etc/apparmor.d/abstractions/passt:  mount              ""      -> "/tmp/",
/etc/apparmor.d/abstractions/pasta:  mount              ""      -> "/proc/",
/etc/apparmor.d/usr.sbin.virtqemud:  mount options=(rw,rslave)  -> /,
/etc/apparmor.d/usr.sbin.virtqemud:  mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
/etc/apparmor.d/usr.sbin.virtqemud:  mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
/etc/apparmor.d/usr.sbin.virtqemud:  mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
/etc/apparmor.d/usr.sbin.virtqemud:  mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
/etc/apparmor.d/usr.sbin.virtqemud:  mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
/etc/apparmor.d/usr.sbin.libvirtd:  mount options=(rw,rslave)  -> /,
/etc/apparmor.d/usr.sbin.libvirtd:  mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
/etc/apparmor.d/usr.sbin.libvirtd:  mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
/etc/apparmor.d/usr.sbin.libvirtd:  mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
/etc/apparmor.d/usr.sbin.libvirtd:  mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
/etc/apparmor.d/usr.sbin.libvirtd:  mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,

That is not the command I have sugested.

So here is your file. Now find out where this file comes from and submit bug report for this package.

I think it is the same bug as the one in my op. And apparmor is indeed currently broken, especially since most aa commands return this “mount rule failure”.

1 Like

This seems like the problem 1226031 – apparmor stops working due to "aa-logprof ERROR: Can't parse mount rule mount "" -> "/","

A fix for that is currently in openqa

2 Likes

wonderful!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.