You are not logged in.
Today I tried running
ps auxZ
but to my surprise it didn't print the security context of any process.
I checked
aa-status
and apparmor was enabled.
After further digging (strace-ing) I found out that trying to read /proc/self/attr/current resulted in errno 22 instead of giving the confinement status of the process.
/proc/self/attr/apparmor/current seems to work fine though.
Python 3.9.1 (default, Feb 6 2021, 06:49:13)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.19.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]: import os
In [2]: x = os.open('/proc/self/attr/current', os.O_RDONLY)
In [3]: os.read(x, 1)
---------------------------------------------------------------------------
OSError Traceback (most recent call last)
<ipython-input-3-2fb020720371> in <module>
----> 1 os.read(x, 1)
OSError: [Errno 22] Invalid argument
In [4]: y = os.open('/proc/self/attr/apparmor/current', os.O_RDONLY)
In [5]: os.read(y, 1)
Out[5]: b'u'
I tried it on linux-hardened (5.10.15.hardened1-1) and linux (5.10.15.arch1-1), they gave me the same result.
When I tried it on linux-lts (5.4.97-1), it worked without any problems.
I guess its a new bug/change introduced in newer kernels.
Anyone else is getting this?
Last edited by lior (2021-06-05 18:10:40)
Offline
I have the same problem, for example command
ps -Z
do not show loaded profile, the same error for /proc/self/attr/current.
My previous kernel was linux-lts-4.9.263-1 and current kernel is linux-lts-5.10.26. So something changed in kernel code between your (5.4) and (5.10) and for now i cannot localize this.
Offline
SOLVED!
Generally, option apparmor wasn't first
More details https://github.com/docker/for-linux/iss … -774541193 and https://wiki.archlinux.org/title/AppArmor#Installation
I've changed options for booting. Old configuration
apparmor=1 security=apparmor
New configuration
apparmor=1 security=apparmor lsm=apparmor,lockdown,yama,bpf
Offline
That did the trick! Thank you!
Offline
Just want to say thank you. I have spent a couple of hours searching for a solution to this problem (the snap LXD would not start in my case) and this solved it, so it's still a relevant issue 12 months later.
Offline