I saw many new profiles by
$ sudo aa-status
and included them by
$ sudo aa-enforce /etc/apparmor.d/*
but since than I got errors
$ firefox
/usr/lib/firefox/firefox: error while loading shared libraries: libstdc++.so.6: cannot open shared object file: Permission denied
and
$ flatpak uninstall --unused
flatpak: error while loading shared libraries: libglib-2.0.so.0: cannot open shared object file: Permission denied
and who knows how many more?
(I haven’t checked all apps yet)
All errors (Permission denied) are gone when AppArmor is disabled by
$ sudo aa-teardown
EDIT:
Most likely the errors are due to one or more buggy Tunables Profile(s) !!
Hope that helps to find out why.
Please see → AppArmor - ArchWiki for more information
1 Like
For many year I used AppArmor just with this line in GRUB
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor resume=UUID=ff53c8ac-5386-4abf-9a73-0f85924072ba udev.log_priority=3"
and it worked fine.
Because you @linux-aarhus mentioned the Wiki I have added GRUB with
GRUB_CMDLINE_LINUX_DEFAULT="lsm=landlock,lockdown,yama,integrity,apparmor,bpf quiet apparmor=1 security=apparmor resume=UUID=ff53c8ac-5386-4abf-9a73-0f85924072ba udev.log_priority=3"
Is that sequence correct or does the sequence matter at all?
However, Firefox and Flatpak are still causing the error mentioned in my first post, so I had to exclude both from AppArmor.
This error can easily be reproduced on a fresh installation in a VM (by sudo aa-enforce /etc/apparmor.d/*) and I wonder why it wasn’t mentioned in the forum yet.