Nixpkgs: AppArmor fails to load with kernel 5.1.0

Created on 8 May 2019  ·  9Comments  ·  Source: NixOS/nixpkgs

Issue description

Upgrading to kernel 5.1.0 from pkgs.linuxPackages_latest breaks apparmor, preventing it from loading. Furthermore, this also breaks nixos-rebuild switch, requiring a kernel downgrade to pkgs.linuxPackages_5_0 (kernel 5.0.13) to fix this.

The error is:

```➜ ~ sudo nixos-rebuild switch --upgrade
[sudo] password for william:
unpacking channels...
building Nix...
building the system configuration...
activating the configuration...
setting up /etc...
reloading user units for william...
setting up tmpfiles
the following new units were started: cpu-throttling.service
warning: the following units failed: apparmor.service

● apparmor.service
Loaded: loaded (/nix/store/csxmp1iy3f5ijy8m0ajx6ch5n8milljc-unit-apparmor.service/apparmor.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2019-05-08 10:29:31 EDT; 17ms ago
Process: 2996 ExecStart=/nix/store/5v3ysffjypsndwxkh16byzaa3g55lz4g-apparmor-parser-2.13.1/bin/apparmor_parser -rKv -I /nix/store/gj3zvpgbsnx85nbbrpb5s2kjz4y85w80-apparmor-profiles-2.13.1/etc/apparmor.d -I /nix/store/pmgymay0liaz5xy65z9n029v2qn6k79v-lxc-3.1.0/etc/apparmor.d /nix/store/pmgymay0liaz5xy65z9n029v2qn6k79v-lxc-3.1.0/etc/apparmor.d/usr.bin.lxc-start (code=exited, status=1/FAILURE)
Main PID: 2996 (code=exited, status=1/FAILURE)

May 08 10:29:31 helium systemd[1]: Starting apparmor.service...
May 08 10:29:31 helium apparmor_parser[2996]: Warning from stdin (line 1): config file '/etc/apparmor/parser.conf' not found
May 08 10:29:31 helium apparmor_parser[2996]: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
May 08 10:29:31 helium apparmor_parser[2996]: Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
May 08 10:29:31 helium apparmor_parser[2996]: Use --subdomainfs to override.
May 08 10:29:31 helium systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
May 08 10:29:31 helium systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 08 10:29:31 helium systemd[1]: Failed to start apparmor.service.
warning: error(s) occurred while switching to the new configuration

I believe the main issue is from this line here: `apparmor_parser[2996]: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)`

### Steps to reproduce

`boot.kernelPackages = pkgs.linuxPackages_latest;` and `security.apparmor.enable = true;` should be sufficient to reproduce the problem, although apparmor was already implicitly enabled on my system. I believe it's because of lxd.

## Technical details

➜ ~ nix-shell -p nix-info --run "nix-info -m"

  • system: "x86_64-linux"
  • host os: Linux 5.1.0, NixOS, 19.09pre178846.7defc47944f (Loris)
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.2.2
  • channels(root): "nixos-19.09pre178846.7defc47944f, nixos-hardware"
  • channels(william): ""
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos
    ```
regression
Source
picture attente
👍1

All 9 comments

It can alternatively be reproduced with boot.kernelPackages = pkgs.linuxPackages_latest; and virtualisation.lxd.enable = true;. I've removed the second part as a workaround.

attente picture attente on 10 May 2019
👍1

I can reproduce the apparmor issue (on unstable-small 19.09pre179342.0fe5e0279fe), but I can keep rebuilding once apparmor.service fails. Not sure if I'm understanding that part right though...

DIzFer picture DIzFer on 10 May 2019

Off the top of my head I'd guess that this is related to securityfs not being mounted; is it? (should be at /sys/kernel/security). I recently tweaked the ordering of the apparmor unit, so this could be fallout from that (EDIT: probably not).

joachifm picture joachifm on 11 May 2019

Hm, from my testing it seems that the selinux lsm is selected by the kernel at boot instead of apparmor for whatever reason under 5.1. I do note that linux_latest.configfile no longer explicitly sets the default security= boot parameter to "apparmor".

Can you check dmesg output? When apparmor is selected, you should see something like
"AppArmor: AppArmor Filesystem Enabled"; if that is missing, look for mentions of selinux.

Explicitly setting boot.kernelParams = [ "security=apparmor" ]; fixes the issue on my end; I'll push a patch to that effect.

joachifm picture joachifm on 11 May 2019

I believe this has been fixed. Please reopen if the problem persists.

joachifm picture joachifm on 13 May 2019
🎉1

This is a problem again. Would somebody please re-open this issue?

aaronjanse picture aaronjanse on 13 Aug 2019

Hmmm, this seems to be fixed by a reboot. Is there some way to say "reboot required" from nixos-rebuild switch?

aaronjanse picture aaronjanse on 13 Aug 2019
👍1

Hmmm, this seems to be fixed by a reboot. Is there some way to say "reboot required" from nixos-rebuild switch?

I just had the same issue and reboot indeed fixed it, thanks a lot

mlvzk picture mlvzk on 23 May 2020

Hmmm, this seems to be fixed by a reboot. Is there some way to say "reboot required" from nixos-rebuild switch?

Just reproduced this by adding virtualisation.lxd.enable = true; to /etc/nixos/configuration.nix.

Making a reboot unnecessary would be even better :-) Either way the problem still exists and significantly impacts usability... any plans on addressing it?

ReliefCrew picture ReliefCrew on 20 Aug 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ob7 picture ob7  ·  3Comments
lverns picture lverns  ·  3Comments
teto picture teto  ·  3Comments
retrry picture retrry  ·  3Comments
copumpkin picture copumpkin  ·  3Comments