this is my first time i'm asking a question so if i can do something better please tell me. I'm not very good in Linux things, so far i could follow along guides and the problems i had where easy fixes with some searching, but now i'm stuck. I have a small homeserver running Debian Buster. On there i run several VM's with libvirt/qemu. My problem is with a nextcloud instance: Yesterday i had a power loss on the system. After rebooting everything was normal so far. Then i wanted to start my VM's and all of them started fine but one. There i get the following error:

sudo virsh start mydomain 
error: Failed to start domain mydomain 
error: internal error: process exited while connecting to monitor: 
qemu-system-x86_64: -realtime mlock=off: warning: '-realtime mlock=...' is deprecated, please use '-overcommit mem-lock=...' instead 
2022-10-01T13:31:17.160445Z qemu-system-x86_64: -drive file=/path/to/mydomain.snapshot1.snapshot2,format=qcow2,if=none,id=drive-virtio-disk0: 
Could not open backing file: Could not open '/path/to/mydomain.snapshot1': Permission denied

I created external snapshot following this guide https://fabianlee.org/2021/01/10/kvm-creating-and-reverting-libvirt-external-snapshots/ And i first thought something was broken with the vm so i tried to revert to an older snapshot (i have one only hours before the powerloss) According to the guide i used these steps to revert:

# edit hda path back to original qcow2 disk
virt-xml $thedomain --edit target=$targetdisk --disk path=$backingfile --update

# validate that we are now pointing back at original qcow2 disk
virsh domblklist $thedomain

# delete snapshot metadata
virsh snapshot-delete --metadata $thedomain $snapshotname

# delete snapshot qcow2 file
sudo rm $pooldir/$thedomain.$snapshotname

# start guest domain
virsh start $thedomain

But after that i still get the same errors just pointing to the snapshot file. Also when i tried to start the VM, the owner and the group of the snapshot file changed from "libvirt-qemu" to "root". I tried to search for the Problem but couldn't find a lot. The closest i found was https://unix.stackexchange.com/questions/435837/how-to-configure-apparmor-so-that-kvm-can-start-guest-that-has-a-backing-file-ch So it might have to do something with apparmor. But i'm confused what changed over the powerloss. But anyway i tried the suggentions in those posts without an effect. But it is also possible that something changed through an update and only came to effect after the reboot. So far the server ran quite well and wasn't shutdown very often. Sorry for the long text. Thanks in advance for any help

I'm using transmission-gtk 4.1.0-beta.2 on Devuan GNU/Linux Excalibur. My dmesg log is spammed with the following kind of message:

[Jul 4 14:47] audit: type=1400 audit(1751629628.491:75895): apparmor="ALLOWED" operation="open"
class="file" profile="transmission-gtk" name="/proc/sys/net/ipv6/conf/all/disable_ipv6"
pid=20126 comm="transmission-gt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

` (originally all in one line, I broke it here for readability.) My network connection does have an IPv6 address (along with IPv4), even though I'm not intentionally making use of it. Anyway, I would like to have transmission-gtk stop trying to mess with it. Is that possible? If not, can I at least silence the repeating log message? Or get to only show up just once? --- FYI, on my system, I have:

# ls -la /proc/sys/net/ipv6/conf/all/disable_ipv6 
-rw-r--r-- 1 root root 0 Jul  4 13:59 /proc/sys/net/ipv6/conf/all/disable_ipv6

I'm running Ubuntu Mate 19.04. I want to enable apparmor for Firefox. I found an existing profile in /etc/apparmor.d/usr.bin.firefox, which I enabled by deleting /etc/apparmor.d/disable/usr.bin.firefox. It is mostly working, but I've noticed one issue. I can't open my downloads from Firefox. I can't even "Open Containing Folder" on a download. Both ask me what application I want to use to perform the action. Here are the errors I see from Firefox when I run it. Those first 4 apparmor errors happen as soon as I launch Firefox. The last 3 "cannot launch" errors happen when I try and open downloads. ** (firefox:6062): WARNING **: 17:58:37.874: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.138" (uid=1000 pid=6062 comm="/usr/lib/firefox/firefox " label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) ** (/usr/lib/firefox/firefox:6127): WARNING **: 17:58:38.319: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.140" (uid=1000 pid=6127 comm="/usr/lib/firefox/firefox -contentproc -childID 1 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) ** (/usr/lib/firefox/firefox:6184): WARNING **: 17:58:38.954: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.141" (uid=1000 pid=6184 comm="/usr/lib/firefox/firefox -contentproc -childID 2 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) ** (/usr/lib/firefox/firefox:6253): WARNING **: 17:58:40.358: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.142" (uid=1000 pid=6253 comm="/usr/lib/firefox/firefox -contentproc -childID 3 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) ** (firefox:6062): WARNING **: 17:58:51.217: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied) ** (firefox:6062): WARNING **: 17:58:51.227: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied) ** (firefox:6062): WARNING **: 17:58:54.538: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied) Here is my full policy: # vim:syntax=apparmor # Author: Jamie Strandboge # Declare an apparmor variable to help with overrides @{MOZ_LIBDIR}=/usr/lib/firefox #include # We want to confine the binaries that match: # /usr/lib/firefox/firefox # /usr/lib/firefox/firefox # but not: # /usr/lib/firefox/firefox.sh /usr/lib/firefox/firefox{,*[^s][^h]} { #include #include #include #include #include #include #include #include #include #include #include #include #include dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi**, dbus (receive, send) bus=accessibility, # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/arp r, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/wireless r, dbus (send) bus=system path=/org/freedesktop/NetworkManager member=state, dbus (receive) bus=system path=/org/freedesktop/NetworkManager, # should maybe be in abstractions /etc/ r, /etc/mime.types r, /etc/mailcap r, /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives /etc/xfce4/defaults.list r, /usr/share/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/*.desktop r, owner /tmp/** m, owner /var/tmp/** m, owner /{,var/}run/shm/shmfd-* rw, owner /{dev,run}/shm/org.{chromium,mozilla}.* rwk, /tmp/.X[0-9]*-lock r, /etc/udev/udev.conf r, # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to an abstraction if anything else needs it. deny /run/udev/data/** r, # let the shell know we launched something dbus (send) bus=session interface=org.gtk.gio.DesktopAppInfo member=Launched, /etc/timezone r, /etc/wildmidi/wildmidi.cfg r, # firefox specific /etc/firefox*/ r, /etc/firefox*/** r, /etc/xul-ext/** r, /etc/xulrunner-2.0*/ r, /etc/xulrunner-2.0*/** r, /etc/gre.d/ r, /etc/gre.d/* r, # noisy deny @{MOZ_LIBDIR}/** w, deny /usr/lib/firefox-addons/** w, deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, deny /boot/initrd.img* r, deny /boot/vmlinuz* r, deny /var/cache/fontconfig/ w, deny @{HOME}/.local/share/recently-used.xbel r, # TODO: investigate deny /usr/bin/gconftool-2 x, # These are needed when a new user starts firefox and firefox.sh is used @{MOZ_LIBDIR}/** ixr, /usr/bin/basename ixr, /usr/bin/dirname ixr, /usr/bin/pwd ixr, /sbin/killall5 ixr, /bin/which ixr, /usr/bin/tr ixr, @{PROC}/ r, @{PROC}/[0-9]*/cmdline r, @{PROC}/[0-9]*/mountinfo r, @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, @{PROC}/sys/vm/overcommit_memory r, /sys/devices/pci[0-9]*/**/uevent r, /sys/devices/platform/**/uevent r, /sys/devices/pci*/**/{busnum,idVendor,idProduct} r, /sys/devices/pci*/**/{,subsystem_}device r, /sys/devices/pci*/**/{,subsystem_}vendor r, /sys/devices/system/node/node[0-9]*/meminfo r, owner @{HOME}/.cache/thumbnails/** rw, /etc/mtab r, /etc/fstab r, # Needed for the crash reporter owner @{PROC}/[0-9]*/environ r, owner @{PROC}/[0-9]*/auxv r, /etc/lsb-release r, /usr/bin/expr ix, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, # about:memory owner @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/smaps r, # Needed for container to work in xul builds /usr/lib/xulrunner-*/plugin-container ixr, # allow access to documentation and other files the user may want to look # at in /usr and /opt /usr/ r, /usr/** r, /opt/ r, /opt/** r, # so browsing directories works / r, /**/ r, # Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/ r, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, # per-user firefox configuration owner @{HOME}/.{firefox,mozilla}/ rw, owner @{HOME}/.{firefox,mozilla}/** rw, owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{firefox,mozilla}/plugins/** rm, owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm, owner @{HOME}/.gnome2/firefox* rwk, owner @{HOME}/.cache/mozilla/{,firefox/} rw, owner @{HOME}/.cache/mozilla/firefox/** rw, owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k, owner @{HOME}/.config/gtk-3.0/bookmarks r, owner @{HOME}/.config/dconf/user w, owner /{,var/}run/user/*/dconf/user w, dbus (send) bus=session path=/org/gnome/GConf/Server member=GetDefaultDatabase peer=(label=unconfined), dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify} peer=(label=unconfined), dbus (send) bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo peer=(label=unconfined), # gnome-session dbus (send) bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} peer=(label=unconfined), # unity screen API dbus (send) bus=system interface="org.freedesktop.DBus.Introspectable" path="/com/canonical/Unity/Screen" member="Introspect" peer=(label=unconfined), dbus (send) bus=system interface="com.canonical.Unity.Screen" path="/com/canonical/Unity/Screen" member={keepDisplayOn,removeDisplayOnRequest} peer=(label=unconfined), # freedesktop.org ScreenSaver dbus (send) bus=session path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit,SimulateUserActivity} peer=(label=unconfined), # gnome, kde and cinnamon screensaver dbus (send) bus=session path=/{,ScreenSaver} interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver} member=SimulateUserActivity peer=(label=unconfined), # UPower dbus (send) bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(label=unconfined), # # Extensions # /usr/share/.../extensions/... is already covered by '/usr/** r', above. # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.mozilla/**/extensions/** mixr, deny @{MOZ_LIBDIR}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, deny /usr/share/mozilla/ w, # Miscellaneous (to be abstracted) # Ideally these would use a child profile. They are all ELF executables # so running with 'Ux', while not ideal, is ok because we will at least # benefit from glibc's secure execute. /usr/bin/mkfifo Uxr, # investigate /bin/ps Uxr, /bin/uname Uxr, /usr/bin/lsb_release Cxr -> lsb_release, profile lsb_release { #include #include /usr/bin/lsb_release r, /bin/dash ixr, /usr/bin/dpkg-query ixr, /usr/include/python2./pyconfig.h r, /etc/lsb-release r, /etc/debian_version r, /usr/share/distro-info/*.csv r, /var/lib/dpkg/** r, /usr/local/lib/python3.[0-6]/dist-packages/ r, /usr/bin/ r, /usr/bin/python3.[0-6] mr, # file_inherit deny /tmp/gtalkplugin.log w, } # Addons #include # Site-specific additions and overrides. See local/README for details. #include } I tried to allow those ListNames methods myself, but I really have no idea what I am doing. I also tried to run firefox with aa-genprof, but I never saw these violations pop up while I did that. Any ideas?

I have been trying to load apparmor profile for a service that runs in systemd's user instance. I have two service files sample.service, for the process and another sample-profile-loader.service which loads its app armor profile usr.bin.Sample. The apparmor profile is placed in /lib/systemd/system and the process's service file is placed in /usr/lib/systemd/user. Both services are enabled. [Unit] # sample-profile-loader.service Before=sample.service [Service] Type=oneshot ExecStart=/use/bin/apparmor-loader.sh /etc/apparmor.d/usr.bin.sample [Install] Wanted by=multi-user.target [Unit] # sample.service Requires=sample-profile-loader.service After=sample-profile-loader.service [Service] Type=simple ExecStart=/usr/bin/sample [Install] WantedBy=multi-user.target After first boot, when I check aa-status the profile is loaded. But when I do a systemctl restart sample.service --user, I get an error message. "Failed to start sample.service. Unit sample-profile-loader.service failed to load. No such file or directory" I have been going through Google for a solution to this. But haven't found one yet. It would be really good if you can give me any suggestion.

I want to deny the internet permission for some applications. Therefore, I tried first to deny the internet permission for ping, but it doesn't work. Here is the profile of /etc/apparmor.d/bin.ping /{usr/,}bin/ping { #include # block ipv4 acces deny network inet, # ipv6 deny network inet6, # raw socket deny network raw, } But the pinging still happens after restarting apparmor with /etc/init.d/boot.apparmor restart ping google.de PING google.de (64.15.112.99) 56(84) bytes of data. 64 bytes from cache.google.com (64.15.112.99): icmp_seq=1 ttl=57 time=11.8 ms 64 bytes from cache.google.com (64.15.112.99): icmp_seq=2 ttl=57 time=15.3 ms EDIT: I forgot to mentioned that I'm running OpenSuse 13.1

My dmesg is full of apparmor="ALLOWED" messages. I want to get rid of them, and only be told in the logs about "DENIED" apparmor events. How do I do that... * universally? * for a specific app's profile?

My dmesg log is littered with the following kind of lines:

[  +0.000009] audit: type=1400 audit(1745688898.020:223710): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/usr/local/share/icons/hicolor/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  +0.000004] audit: type=1400 audit(1745688898.020:223711): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/usr/share/icons/hicolor/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  +0.000016] audit: type=1400 audit(1745688898.020:223712): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/usr/share/nemo/icons/hicolor/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  +0.000004] audit: type=1400 audit(1745688898.020:223713): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/home/joeuser/.local/share/icons/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[  +0.000003] audit: type=1400 audit(1745688898.020:223714): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/home/joeuser/.icons/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[  +8.605953] kauditd_printk_skb: 40 callbacks suppressed
[  +0.000002] audit: type=1400 audit(1745688906.628:223755): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/home/joeuser/.local/share/mime/mime.cache" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1

Am I correct in assuming that this is nothing to worry about? And if that's the case - how do I suppress these gratuitous messages?

On Ubuntu LTS 24.04 Server, with a libvirt-managed QEMU virtual machine, I'm trying to use a externally-launched virtiofsd [as documented in the libvirt docs](https://libvirt.org/kbase/virtiofs.html#externally-launched-virtiofsd) , because I need to enable features, such as --posix-acl, not supported by libvirt's virtiofsd config. However, whichever permissions, owner, and group I set the virtiofsd socket, my virtual machine cannot use it, always failing with "Permission Denied":

$ virsh start my-vm
error: Failed to start domain 'my-vm'
error: internal error: process exited while connecting to monitor: 2025-02-07T02:00:44.288580Z qemu-system-x86_64: -chardev socket,id=chr-vu-fs0,path=/run/my-virtiofsd.sock: Failed to connect to '/run/my-virtiofsd.sock': Permission denied

How can I fix it?

I am developing some AppArmor profiles, and came across the kernel flag unprivileged_userns_apparmor_policy, but I cannot find any documentation about it. Does anyone know what it does? I wonder if it might be helpful to me because I am writing AppArmor policies for apps that can use unprivileged user namespaces and I don't want those apps to be able to use a mount namespace to get around the AppArmor profile's file permission restrictions.

I have a custom SSH server written in go that wraps commands called by the client in apparmor. One of the profiles confines sudo and what commands it can call. It started failing on a proxmox backup server and not any other Debian server. I have tried several combinations of allowed permissions for unix sockets, but always get the same denied behavior, even with extremely open permissions.

Dec 29 13:41:23 pbs audit: AVC apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 profile="clientSudo" pid=40367 comm="sudo" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Dec 29 13:41:23 pbs audit: AVC apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 profile="clientSudo" pid=40376 comm="sudo" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none

I have attempted the following combinations:

network unix stream,
  network unix dgram,

network unix stream,
  network unix dgram,
  unix (create) type=stream,
  unix (create) type=dgram,

unix (create) type=stream,
  unix (create) type=dgram,

unix,

network unix,

Here is the entire profile, called by /usr/bin/sudo rmpx -> clientSudo,

profile clientSudo flags=(enforce) {
  # Read self
  /usr/bin/sudo rm,
  / r,

  # Capabilities
  capability sys_resource,
  capability setuid,
  capability setgid,
  capability audit_write,
  capability chown,
  network netlink raw,
  network unix,
  network unix stream,
  network unix dgram,
  network inet dgram,
  network inet6 dgram,
  unix (create) type=stream,
  unix (create) type=dgram,

  # Allow file manipulation
  /usr/bin/ls rmpx -> fileops,
  /usr/bin/rm rmpx -> fileops,
  /usr/bin/mv rmpx -> fileops,
  /usr/bin/cp rmpx -> fileops,
  /usr/bin/ln rmpx -> fileops,
  /usr/bin/rmdir rmpx -> fileops,
  /usr/bin/mkdir rmpx -> fileops,
  /usr/bin/chown rmpx -> fileops,
  /usr/bin/chmod rmpx -> fileops,
  /usr/bin/sha256sum rmpx -> fileops,

  # /proc accesses
  /proc/stat r,
  /proc/filesystems r,
  /proc/sys/kernel/cap_last_cap r,
  /proc/sys/kernel/ngroups_max rw,
  /proc/sys/kernel/seccomp/actions_avail r,
  /proc/1/limits r,
  /proc/@{pid}/stat r,
  owner /proc/@{pid}/mounts r,
  owner /proc/@{pid}/status r,

  # /run accesses
  /run/ r,
  /run/sudo/ r,
  /run/sudo/ts/{,*} rwk,

  # /usr accesses
  /usr/share/zoneinfo/** r,
  /usr/lib/locale/locale-archive r,
  /usr/sbin/unix_chkpwd rmix,
  # Not necessary, additional attack surface
  deny /usr/sbin/sendmail rmx,

  # /etc accesses
  /etc/login.defs r,
  /etc/ld.so.cache r,
  /etc/locale.alias r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/shadow r,
  /etc/sudo.conf r,
  /etc/sudoers r,
  /etc/sudoers.d/{,*} r,
  /etc/pam.d/other r,
  /etc/pam.d/sudo r,
  /etc/pam.d/common-auth r,
  /etc/pam.d/common-account r,
  /etc/pam.d/common-session-noninteractive r,
  /etc/pam.d/common-session r,
  /etc/pam.d/common-password r,
  /etc/security/limits.conf r,
  /etc/security/limits.d/ r,
  /etc/group r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/resolv.conf r,
  /etc/gai.conf r,

  # /dev accesses
  /dev/tty rw,
  /dev/null rw,

  ## Libraries needed for sudo - lib versions are wildcarded
  /usr/lib/*-linux-gnu*/ld-linux-x86-64.so.* r,
  /usr/lib/*-linux-gnu*/libaudit.so.* rm,
  /usr/lib/*-linux-gnu*/libselinux.so* rm,
  /usr/lib/*-linux-gnu*/libc.so* rm,
  /usr/lib/*-linux-gnu*/libcap-ng.so.* rm,
  /usr/lib/*-linux-gnu*/libpcre*.so.* rm,
  /usr/lib/*-linux-gnu*/libpam.so.* rm,
  /usr/lib/*-linux-gnu*/libz.so.* rm,
  /usr/lib/*-linux-gnu*/libm.so.* rm,
  /usr/libexec/sudo/libsudo_util.so.* rm,
  /usr/libexec/sudo/sudoers.so rm,
  /usr/lib/*-linux-gnu*/libnss_systemd.so.* rm,
  /usr/lib/*-linux-gnu*/libcap.so.* rm,
  /usr/lib/*-linux-gnu*/security/pam_limits.so rm,
  /usr/lib/*-linux-gnu*/security/pam_unix.so rm,
  /usr/lib/*-linux-gnu*/security/pam_deny.so rm,
  /usr/lib/*-linux-gnu*/security/pam_permit.so rm,
  /usr/lib/*-linux-gnu*/security/pam_systemd.so rm,
  /usr/lib/*-linux-gnu*/libcrypt.so.* rm,
  /usr/lib/*-linux-gnu*/libpam_misc.so.* rm,
  /usr/lib/*-linux-gnu*/gconv/gconv-modules.cache r,
  /usr/lib/*-linux-gnu*/gconv/gconv-modules r,
  /usr/lib/*-linux-gnu*/gconv/gconv-modules.d/ r,
}

I would guess that the error failed type and protocol match is specifically referring to the protocol 0. But, protocol 0 is not something apparmor recognizes in the profile syntax. Is there a way to debug what permission exactly for unix sockets sudo is attempting? Apparmor complain mode shows the identical lines to the denied ones above. Or, is this a limitation of apparmor and sudo is trying to do something with unix sockets that is not supported? It is strange this happens with proxmox but not debian, which kind of makes me think it might be the kernel version proxmox is using? Can anyone shed some light on this?

So I was trying to debug some stuff, and noticed that my snap installation of Discord seems to fill my kernel ring buffer with the same request which is being "DENIED" by the AppArmor. Message in question:

[ 1044.201470] audit: type=1400 audit(1732616387.440:44954): apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=5626 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
[ 1044.201478] audit: type=1400 audit(1732616387.440:44955): apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=5626 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
[ 1044.201491] audit: type=1400 audit(1732616387.440:44956): apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=5626 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
[ 1044.201499] audit: type=1400 audit(1732616387.440:44957): apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=5626 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
[ 1044.201514] audit: type=1400 audit(1732616387.440:44958): apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=5626 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
[ 1044.201522] audit: type=1400 audit(1732616387.440:44959): apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=5626 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"
[ 1044.201535] audit: type=1400 audit(1732616387.440:44960): apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.discord.discord" pid=5626 comm="Utils" requested_mask="read" denied_mask="read" peer="unconfined"

(the spam is at a point where its very difficult to find any message which isn't this one...) I was wondering if people know what might cause this, and if this is harmful behaviour I should seek to fix (my machine has been a bit unstable, but I'm still unsure if that's a hardware or a software issue...)

Until recently I was using Ubuntu 22. Being a paranoid sort, I like to have my stuff sandboxed. So I was running VS Code as a different user through 0install (0install run https://apps.0install.net/gui/vs-code.xml ). I had to jump through a few hoops: set the DISPLAY environment variable, and copy the magic cookie to the other user (with xauth extract - "$DISPLAY" and xauth merge -). But I was happy to pay that price. Then came Ubuntu 24. Now, when I try to run the 0install command, nothing happens and it exits with code 0. With the --verbose argument I get this:

[32146:0916/205416.674638:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/kevin/.cache/0install.net/implementations/sha256new_PLTHUJ6DVZ2RVZROAUFY7ANZGID5GEFNTKSAPKK4523ZXWBWZGZA/chrome-sandbox is owned by root and has mode 4755.

(That file is owned by kevin and has mode 555.) The internet tells me that this is something to do with the change to AppArmor settings in Ubuntu 24 ( https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#security-improvements , section "Security Improvements"). I've seen a few different suggestions of how to relax the security requirements, but I don't understand AppArmor well enough to convince myself that any of them are still sufficiently sandboxed. At the same time, messages appear in the dmesg log:

kern  :notice: [ 2796.519919] audit: type=1400 audit(1726516456.670:263): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=32146 comm="code" requested="userns_create" target="unprivileged_userns"
kern  :notice: [ 2796.520853] audit: type=1400 audit(1726516456.671:264): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=32148 comm="code" capability=21  capname="sys_admin"
kern  :info  : [ 2796.524131] traps: code trap int3 ip:609f9bb5c60a sp:7fff27a839d0 error:0 in code[609f9832c000+7e11000]

I don't fully understand what these logs mean, and I haven't found docs anywhere. It looks like it's failing to invoke the "sys_admin" capability. According to man capabilities, "sys_admin" is an overused capability; maybe this is an example of it being used where a more specific capability would be more appropriate. In any case I don't want to grant my process such sweeping powers. I don't know why it needs to do a permission check. The only reason I can think of is that X11 requires it. I also tried xhost without success. I'll give more details on that if you think X11 is the culprit. UPDATE: VS Code Portable Mode ( https://code.visualstudio.com/docs/editor/portable ) does exactly the same thing.

I've installed Debian 12 Bookworm recently and, as far as I could read about a fresh installation, it comes with app-armor pre-installed by default. I'm running the command aa-status as root but it's returning: bash: aa-status: command not found. I know aa-status is part of apparmor-utils. And that's installed too. Being more precise, the return of apt list --installed | grep apparmor here lies in: apparmor-profiles/stable,stable,now 3.0.8-3 all [installed] apparmor-utils/stable,stable,now 3.0.8-3 all [installed] apparmor/stable,now 3.0.8-3 amd64 [installed] libapparmor1/stable,now 3.0.8-3 amd64 [installed] python3-apparmor/stable,stable,now 3.0.8-3 all [installed,automatic] python3-libapparmor/stable,now 3.0.8-3 amd64 [installed,automatic] Once I "ask" systemctl about apparmor with systemctl status apparmor it "says": ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; preset: enabled) Active: active (exited) since Thu 2024-07-25 08:39:48 -03; 5min ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 978 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) Main PID: 978 (code=exited, status=0/SUCCESS) CPU: 359ms Jul 25 08:39:48 mypc systemd: Starting apparmor.service - Load AppArmor profiles... Jul 25 08:39:48 mypc apparmor.systemd: Restarting AppArmor Jul 25 08:39:48 mypc apparmor.systemd: Reloading AppArmor profiles Jul 25 08:39:48 mypc systemd: Finished apparmor.service - Load AppArmor profiles. I've also noticed the Finished apparmor.service - Load AppArmor profiles. but do not know what it mean. Do I need a profile to get it running properly? It does not come with default profiles? Could you help me to understand it better? Thanks in advance!

I want a AppArmor profile which denies a binary access to all files except .so-files/libraries and specific directories which it need access to.

#include 

/home/test/rust-api/target/debug/python-executor flags=(complain) {
	# deny all outgoing network requests.
	deny network inet,
	deny network inet6,
	deny network tcp,
	deny network udp,

	#deny writing and executing all files.
	deny /** rwkx,
	
	# allow .sp files.
	allow /**.so*

	# allow files for smem and unixsockets.
	allow /home/test/rust-api/tmp/** rwk,
	allow /home/test/rust-api/tmp/sockets/** rwk,
	
	#allow reading python scripts in trading_algos.
	allow /home/test/rust-api/trading_algos/** r,
}

I thought I could just do deny /** rwkx to deny all files and later specify what files to allow. But still AppArmor denies access to all files.

AppArmor is causing problems with my system. I have AppArmor disabled now because it was preventing me from booting. I am unable to install new apt apps. When I try anyway I get...

E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem.

When I run that command I get...

Reloading AppArmor profiles

It just sits there, and until I reboot. When I try to remove AppArmor I get similar message. This is preventing me from adding new apps and from upgrading existing app. From LSB-RELEASE:

DISTRIB_ID=neon
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="KDE neon 5.27"

What can I do to solve this?

I'm trying understand AppArmor capabilities at the moment. I found an example which had me make a copy of /bin/ping and generate AppArmor profile for it. First I made a copy of /bin/ping and set it's net_raw capability to permitted and effective per the instructions:

-shell
sudo cp /bin/ping /bin/fake_ping
sudo setcap cap_net_raw+ep  /bin/fake_ping

Then I generated an AppArmor profile:

-shell
sudo aa-genprof /bin/fake_ping

The AppArmor profile is saved in enforced - everything works. After that I unset net_raw capability:

-shell
sudo setcap cap_net_raw-ep  /bin/fake_ping

As expected, it doesn't work now due to this missing capability:

fake_ping: socktype: SOCK_RAW
fake_ping: socket: Operation not permitted
fake_ping: => missing cap_net_raw+p capability or setuid?

----------- **My question:** newly generated apparmor profile already contains capability net_raw, so why it doesn't work without cap_net_raw=ep set in extended attributes? How it's different?

I am using redshift, which has support for custom shell scripts in hooks when certain events happen. However, these hooks are not executed because of AppArmor: [11541.395814] audit: type=1400 audit(1696093800.648:39): apparmor="DENIED" operation="exec" profile="/usr/bin/redshift" name="/home/philipp/.config/redshift/hooks/test-hook" pid=15384 comm="redshift" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 How can I make this work? I searched online, but did not find a satisfying, simple solution. I am only using AppArmor because it is installed by default in Debian. If the best solution is to uninstall it, that’s fine with me.

I have a fresh Ubuntu Server 22.04.3 and Debian 12.1.0 installed and updated. Along with Cockpit and Cockpit virtual machines on both tests machines. I am getting the following errors and warning when looking at the log section in Cockpit:

Failed to read AppArmor profiles list '/sys/kernel/security/apparmor/profiles': Permission denied libvirtd

Failed to open file '/sys/kernel/security/apparmor/profiles': Permission denied libvirtd

Failed to read AppArmor profiles list '/sys/kernel/security/apparmor/profiles': Permission denied libvirtd

Failed to open file '/sys/kernel/security/apparmor/profiles': Permission denied libvirtd

The virtual machines start up and has no issues. However, the errors pop up after every reboot once I click the virtual machines section on Cockpit. These errors only show then, and not when I do NOT go to virtual machines section in Cockpit. So it seems to only start once you go to that section in Cockpit. The /etc/apparmor.d/usr.sbin.libvirtd does have the line:

/sys/kernel/security/apparmor/profiles r,

My user has also been added to groups libvirt, kvm and sudo. Also, when running the following command without sudo and not as root on the terminal, then I also get a permission denied. I checked the folder permissions and it does have read permissions and belong to the group root:

-shell
cat /sys/kernel/security/apparmor/profiles

Has anyone else experience this issue? Any solution to get it fixed with or without disabling AppArmor for KVM? or can the errors be safely ignored?

On my newly installed Ubuntu 12.04 machine, with ntp and slapd installed, the following messages appear in /var/log/syslog at regular intervals: > _Feb 23 18:54:07 my-host kernel: [ 24.610703] type=1400 audit(1393181647.872:15): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/ntpd" name="/etc/ldap/ldap.conf" pid=1526 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0_ I've searched, but can't find any info on what may be causing these messages and how to fix the problem. Can anyone shed any light on what's causing this and what to do about it?

After installing Debian 12 and rsyslog 8.2302 (for TLS remote syslog), I noticed that apparmor logs (or any audit logs) were not being sent remotely. After reviewing the local system, journald DOES contain all the audit and apparmor logs, but rsyslog is not getting any of them. Rsyslog can see all the other normal logs. I have ForwardToSyslog=yes uncommented in /etc/systemd/journald.conf, but it does not seem to make a difference. /etc/rsyslog.conf

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

# TLS Certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/logserver.crt          # Server Certificate or CA
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/selfsigned.crt       # Client Certificate
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/selfsigned.key        # Client Key

# TLS Sending Configuration
$DefaultNetstreamDriver gtls                    # use gtls netstream driver
$ActionSendStreamDriverMode 1                   # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name       # server is NOT authenticated

#
# TLS Remote Logging Rule
#
*.* @@192.168.3.2:6514

On Debian 11, apparmor logs were being forwarded by rsyslog no problem. I also tried changing the remote line in rsyslog.conf to *.* /var/log/syslog and after restarting, no audit or apparmor logs appeared in the file (all the other system logs did though...) I realize the removal of rsyslog from default installation with this new release, so how can one reenable rsyslog to see and ship off audit (apparmor) logs?