4

Kinda overlapping question here. I'm trying to disable AppArmor system-wide. After doing this:

sudo systemctl stop apparmor
sudo systemctl disable apparmor

And rebooting, I have:

❯❯  sudo aa-status | egrep '^[0-9]'
48 profiles are loaded.
41 profiles are in enforce mode.
7 profiles are in complain mode.
0 profiles are in prompt mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
17 processes have profiles defined.
17 processes are in enforce mode.
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.

❯❯  sudo aa-enabled
Yes


❯❯  sudo systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; disabled; preset: enabled)
     Active: inactive (dead)
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/

If I do something that violates the policy (in my case, creating a user namespace) I get stuff like this in my kernel log which seems to confirm AppArmor is in effect:

[  942.570952] audit: type=1400 audit(1735492407.323:89): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=6227 comm="python" requested="userns_create" denied="userns_create" target="unprivileged_userns"
Brendan
  • 223

2 Answers2

5

To give more detail on Thomas Ward's comment, open the file /etc/default/grub with sudo, and change the line
GRUB_CMDLINE_LINUX=""
to
GRUB_CMDLINE_LINUX="apparmor=0"
Run sudo update-grub and reboot.

Note: Disabling AppAmor on Ubuntu, as outlined in this answer, removes a layer of security that is designed to keep your system safe. Nevertheless this is one course of action that could be taken by a knowledgeable and experienced user.

Canonical's decision to restrict unprivileged user namespaces broke many programs and in my opinion should not have been done at all. Let alone on a .1 release; that should be the safest upgrade of all.

andrew.46
  • 39,359
Mateus Araújo
  • 323
4

Disabling apparmor by

sudo systemctl stop apparmor
sudo systemctl disable apparmor

Will not work, I also run in this problem and wasted a lot of time.

To completely disable apparmor you need to add a special command to grub config file and restart your machine. For your convenience I made ready oneliner to do it:

To switch AppArmor OFF:

sudo sed -i 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="apparmor=0"/' /etc/default/grub && sudo update-grub && sudo reboot

To switch AppArmor ON:

sudo sed -i 's/^GRUB_CMDLINE_LINUX="apparmor=0"/GRUB_CMDLINE_LINUX=""/' /etc/default/grub && sudo update-grub && sudo reboot
Krzysztof Cichocki
  • 156