apparmor aa-complain

[evrim]

Issue description

Hello,

I've run into trouble w/ app armor.

# aa-complain `which ping`
Traceback (most recent call last):
File "/nix/store/5zxndn75gljwbpcr2mdh7arg71fllhzb-apparmor-utils-2.10/bin/.aa-complain-wrapped", line 17, in
import apparmor.tools
File "/nix/store/5zxndn75gljwbpcr2mdh7arg71fllhzb-apparmor-utils-2.10/lib/python2.7/site-packages/apparmor/tools.py", line 17, in
import apparmor.aa as apparmor
File "/nix/store/5zxndn75gljwbpcr2mdh7arg71fllhzb-apparmor-utils-2.10/lib/python2.7/site-packages/apparmor/aa.py", line 4345, in
if cfg['settings'].get('default_owner_prompt', False):
File "/nix/store/5zxndn75gljwbpcr2mdh7arg71fllhzb-apparmor-utils-2.10/lib/python2.7/site-packages/apparmor/config.py", line 27, in getitem
section_val = self.items(section)
File "/nix/store/3n3r10921c0mzfrq64hc4m2jzjk13qpr-python-2.7.13/lib/python2.7/ConfigParser.py", line 642, in items
raise NoSectionError(section)
ConfigParser.NoSectionError: No section: 'settings'
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
File "/nix/store/3n3r10921c0mzfrq64hc4m2jzjk13qpr-python-2.7.13/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
func(*targs, **kargs)
File "/nix/store/5zxndn75gljwbpcr2mdh7arg71fllhzb-apparmor-utils-2.10/lib/python2.7/site-packages/apparmor/aa.py", line 128, in on_exit
debug_logger.debug('Exiting..')
AttributeError: 'NoneType' object has no attribute 'debug'
Error in sys.exitfunc:
Traceback (most recent call last):
File "/nix/store/3n3r10921c0mzfrq64hc4m2jzjk13qpr-python-2.7.13/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
func(*targs, **kargs)
File "/nix/store/5zxndn75gljwbpcr2mdh7arg71fllhzb-apparmor-utils-2.10/lib/python2.7/site-packages/apparmor/aa.py", line 128, in on_exit
debug_logger.debug('Exiting..')
AttributeError: 'NoneType' object has no attribute 'debug'

Technical details

# cat /etc/nixos/configuration.nix|grep app
security.apparmor.enable = true;

# nixos-version -a
17.03.1247.05126bc850 (Gorilla)

[evrim]

Apparently, /etc/apparmor and /etc/apparmor.d directories do not exist on my system.
#nix-env -i apparmor-profiles seems to install these data into the user store ie /nix/store/...user-environment../
I suspect i need a little bit more configuration. Any ideas?

[Mic92]

You can add packages or profiles like the lxc module does:

security.apparmor.packages = [ pkgs.lxc ];
security.apparmor.profiles = [ "${pkgs.lxc}/etc/apparmor.d/lxc-containers" ];

By default some profiles are already loaded (in my case it also includes lxc).

$ sudo systemctl cat apparmor
# /nix/store/ya3gpbvlrq1hyff03n92qyj4x5rwk8b8-unit-apparmor.service/apparmor.service
[Unit]

[Service]
Environment="LOCALE_ARCHIVE=/nix/store/fmp6hi6x306s61npw24i97ksb037v8nc-glibc-locales-2.25/lib/locale/locale-archive"
Environment="PATH=/nix/store/v64g1yg79b4i3cc7ajxzi5gik4sq2737-coreutils-8.27/bin:/nix/store/pzniwigry771hvqqlr939jmddcqh79m6-findutils-4.6.0/bin:/nix/store/96kg25hm8m95l3lsh88cm379a883i7jp-gnugrep-3.0/bin:/nix/store/fv7a8li0j9fs3nbfifhfqlr54i5vx5rz-gnused-4.4/bin:/nix/store/f346cnnkfxy4sc27q5aa9al8is4mnzqk-systemd-232/bin:/nix/store/v64g1yg79b4i3cc7ajxzi5gik4sq2737-coreutils-8.27/sbin:/nix/store/pzniwigry771hvqqlr939jmddcqh79m6-findutils-4.6.0/sbin:/nix/store/96kg25hm8m95l3lsh88cm379a883i7jp-gnugrep-3.0/sbin:/nix/store/fv7a8li0j9fs3nbfifhfqlr54i5vx5rz-gnused-4.4/sbin:/nix/store/f346cnnkfxy4sc27q5aa9al8is4mnzqk-systemd-232/sbin"
Environment="TZDIR=/nix/store/c67wrah64bf33cgs7d1iqc4kaj8ryawa-tzdata-2016j/share/zoneinfo"



ExecStart=/nix/store/hs4yd1ncqppd2rsi6dm08xnss10ch6ig-apparmor-parser-2.10/bin/apparmor_parser -rKv  -I /nix/store/4agfz7b0kd4davn70ii4ql0w9l0nccxa-apparmor-profiles-2.10/etc/apparmor.d -I /nix/store/2s56lnf6k6fwj2y381n99qdb1rrnycyw-lxc-2.0.7/etc/apparmor.d "/nix/store/2s56lnf6k6fwj2y381n99qdb1rrnycyw-lxc-2.0.7/etc/apparmor.d/lxc-containers"
ExecStart=/nix/store/hs4yd1ncqppd2rsi6dm08xnss10ch6ig-apparmor-parser-2.10/bin/apparmor_parser -rKv  -I /nix/store/4agfz7b0kd4davn70ii4ql0w9l0nccxa-apparmor-profiles-2.10/etc/apparmor.d -I /nix/store/2s56lnf6k6fwj2y381n99qdb1rrnycyw-lxc-2.0.7/etc/apparmor.d "/nix/store/jgr9yrjrrzza8j8r6qbzrg8iyc3wrhb2-ping"
ExecStop=/nix/store/hs4yd1ncqppd2rsi6dm08xnss10ch6ig-apparmor-parser-2.10/bin/apparmor_parser -Rv "/nix/store/2s56lnf6k6fwj2y381n99qdb1rrnycyw-lxc-2.0.7/etc/apparmor.d/lxc-containers"
ExecStop=/nix/store/hs4yd1ncqppd2rsi6dm08xnss10ch6ig-apparmor-parser-2.10/bin/apparmor_parser -Rv "/nix/store/jgr9yrjrrzza8j8r6qbzrg8iyc3wrhb2-ping"
RemainAfterExit=yes
Type=oneshot

[Mic92]

See also: https://nixos.org/nixos/options.html#apparmor

[calbrecht]

For me the current version 2.10 of apparmor-utils refuse to start either.
e.g. aa-genprof

• is missing a [settings] section from config logprof.conf which it looks up in /etc/apparmor
• needs settings.profiledir
• needs correct parser, ldd and logger paths in settings.* from config
• refuses to start because of https://bugs.launchpad.net/apparmor/+bug/1513880

i managed to get it working by updating to version 2.10.2, but this made quite a rebuild :/

[stale]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

[calbrecht]

hm, well. Nice to have and play around with at sometime, i guess :)

[stale]

I marked this as stale due to inactivity. → More info

[Mic92]

I think this was fixed by #93457 if not please complain.