[apparmor] Apparmor crash that takes out the system

Mark Wadham ubuntu at rkw.io
Thu Jul 28 19:31:48 UTC 2016

On 28 Jul 2016, at 17:32, Mark Wadham wrote:
> If the profile doesn't cause a crash immediately for you let me know 
> and I'll play around with a fresh vm and see if I can reproduce it 
> there.

Ok it's reproducable on a vm with an almost fresh installation of 


1. Configure a vpn (sorry, doesn't seem to trigger if there's no vpn 
configured).  I'm using a public vpn service but I'd assume anything 
would do.  Make sure the vpn comes up.

2. Set this profile for usr.sbin.openvpn:

  #include <tunables/global>

  /usr/sbin/openvpn flags=(complain, attach_disconnected) {
    #include <abstractions/authentication>
    #include <abstractions/base>
    #include <abstractions/nameservice>

    capability net_bind_service,

    /run/openvpn/ipredator.status rw,
    /etc/openvpn/ r,
    /etc/openvpn/** r,
    /run/openvpn/* rw,

3. Set the profile to complain mode, restart openvpn.

4. Wait till the vpn comes up, then:

# apparmor_parser -r /etc/apparmor.d/usr.sbin.openvpn ; service openvpn 

then really quickly type:

# dmesg

and you should see the panic just before the box becomes unreachable.

Not sure if all these steps are necessary but this is triggering it for 


More information about the AppArmor mailing list