I installed AppArmor according to the Wiki, however, after restarting and making sure everything is running, invoking aa-logprof throws this error:
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/abstractions/user-data line 26:
prompt owner @{HOME}/ r,
I have absolutely no idea what to do with this, since this seems like standard syntax? So I’m quite baffled about where to even start looking for what to do. Any help would be appreciated.
I have it installed too but I don’t have this file:
Which Wiki? I haven’t seen any reference to this file in CachyOS’ Wiki:
Not in ArchWiki either:
What wiki did you follow? Did you add that file yourself and edit it?
The file is a part of the apparmor.d package, and yeah, installed according to the CachyOS wiki.
I see. I don’t have that package installed. Only apparmor and there is no such file (user-data) in that directory. Sorry!
Maybe you can post the whole content of that file so someone who knows more can look at it?
cat /etc/apparmor.d/abstractions/user-data
The error message you’re encountering, "ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/abstractions/user-data line 26: prompt owner @{HOME}/ r," indicates a syntax issue in the AppArmor profile file.
To my knowledge prompt is not valid apparmor rules…
The line prompt owner @{HOME}/ r, is not a valid AppArmor rule.
The prompt keyword is not recognized in this context. AppArmor rules typically use owner, r, w, rw, etc., but not prompt.
Relavant bits from mine:
# Allow read access to toplevel $HOME & mounts for the user.
owner @{HOME}/ r,
owner @{MOUNTS}/ r,
# Allow read/write access to all files in @{HOME}, except snap application
# data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
owner @{HOME}/[^s.]** rwlk,
owner @{HOME}/s[^n]** rwlk,
owner @{HOME}/sn[^a]** rwlk,
owner @{HOME}/sna[^p]** rwlk,
owner @{HOME}/snap[^/]** rwlk,
owner @{HOME}/{s,sn,sna}{,/} rwlk,
# Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs)
# for non-hidden files owned by the user.
owner @{MOUNTS}/[^.]** rwlk,
# Disallow writes to the well-known directory included in
# the user's PATH on several distributions
You should edit **/etc/apparmor.d/abstractions/user-data **
make the changes I showed above.
Reload apparmor and check again.
I did download apparmor.d-git (not installed) to see the contents of that file.
It is not only in the line 26 that “prompt” occurs but in several others. Seems intentional from the developer?
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Gives access to non-hidden files in user's $HOME.
# Warning: experiemental, only for abi 4+, requires a prompting client.
abi <abi/4.0>,
# Allow accessing the GNOME crypto services prompt APIs as used by
# applications using libgcr (such as pinentry-gnome3) for secure pin
# entry to unlock GPG keys etc. See:
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
dbus send bus=session path=/org/gnome/keyring/Prompter
interface=org.gnome.keyring.internal.Prompter
member={BeginPrompting,PerformPrompt,StopPrompting}
peer=(name="{@{busname}", label=pinentry-*),
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
interface=org.gnome.keyring.internal.Prompter.Callback
member={PromptReady,PromptDone}
peer=(name="{@{busname}", label=pinentry-*),
# Allow read access to toplevel $HOME & mounts for the user.
prompt owner @{HOME}/ r,
prompt owner @{MOUNTS}/ r,
# Allow read/write access to all files in @{HOME}, except snap application
# data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
prompt owner @{HOME}/[^s.]** rwlk,
prompt owner @{HOME}/s[^n]** rwlk,
prompt owner @{HOME}/sn[^a]** rwlk,
prompt owner @{HOME}/sna[^p]** rwlk,
prompt owner @{HOME}/snap[^/]** rwlk,
prompt owner @{HOME}/{s,sn,sna}{,/} rwlk,
# Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs)
# for non-hidden files owned by the user.
prompt owner @{MOUNTS}/[^.]** rwlk,
# Disallow writes to the well-known directory included in
# the user's PATH on several distributions
audit deny @{HOME}/bin/{,**} wl,
audit deny @{HOME}/bin wl,
include if exists <abstractions/user-data.d>
# vim:syntax=apparmor
It dose at first glance to be sure. I was thinking @naim or @ptr1337 would set our minds to rest.
And if I manually add prompt back in the mix apparmor fails.
aa-logprof
Updating AppArmor profiles in /etc/apparmor.d.
skipping disabled profile loupe
skipping disabled profile epiphany
skipping disabled profile unix-chkpwd
skipping disabled profile opera
skipping disabled profile virtiofsd
skipping disabled profile signal-desktop
skipping disabled profile nautilus
skipping disabled profile systemd-coredump
skipping disabled profile steam
skipping disabled profile foliate
skipping disabled profile slirp4netns
skipping disabled profile brave
skipping disabled profile element-desktop
skipping disabled profile chromium
skipping disabled profile msedge
skipping disabled profile firefox
skipping disabled profile transmission
skipping disabled profile thunderbird
skipping disabled profile plasmashell
skipping disabled profile flatpak
skipping disabled profile chrome
Reading log entries from /var/log/syslog.
ERROR: Can not read AppArmor logfile: /var/log/syslog
And this is puzzling ** /var/log/syslog** That directory/file is not on my system.
apparmor module is loaded.
1833 profiles are loaded.
74 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
15 processes have profiles defined.
2 processes are in enforce mode.
/usr/bin/avahi-daemon (1615) avahi-daemon
/usr/bin/avahi-daemon (1622) avahi-daemon
6 processes are in complain mode.
/usr/bin/aa-status (238446) aa-status
/usr/bin/sudo (238443) sudo
/usr/bin/sudo (238445) sudo
/usr/lib/systemd/systemd-userwork (237094) systemd-userwork
/usr/lib/systemd/systemd-userwork (237519) systemd-userwork
/usr/lib/systemd/systemd-userwork (237520) systemd-userwork
0 processes are in prompt mode.
0 processes are in kill mode.
7 processes are unconfined but have a profile defined.
/opt/Surfshark/surfshark (7328) surfshark
/opt/Surfshark/surfshark (7350) surfshark
/opt/Surfshark/surfshark (7351) surfshark
/opt/Surfshark/surfshark (7375) surfshark
/opt/Surfshark/chrome_crashpad_handler (7447) surfshark
/opt/Surfshark/surfshark (7493) surfshark
/opt/Surfshark/surfshark (7518) surfshark
0 processes are in mixed mode.
I had to cut that return down, to large to fit here.
Full paste found here
sudo aa-status | grep prompt
evolution-user-prompter
gcr-prompter
snapd-aa-prompt-listener
snapd-aa-prompt-ui
0 profiles are in prompt mode.
0 processes are in prompt mode.
This is the explanation. The apparmor tools are not uptodate. As mentioned in above thread you should use aa-log instead which comes with apparmor.d.
Using aa-logprof is problematic anyhow. If you interactively add rules they are applied to the profiles in /etc/apparmor.d - however with the consequence that these changes will be overwritten by the next apparmor or apparmor.d update.
That’s why you should rather add your modifications to the files in /etc/apparmor.d/local which are included by the include directive at the bottom of the respective profile. If they do not already exist you have to create them manually. Then copy the necessary rules displayed by executing aa-log -r.
I did a clean install apparmor.d-git
Left profiles as is:
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Gives access to non-hidden files in user's $HOME.
# Warning: experiemental, only for abi 4+, requires a prompting client.
abi <abi/4.0>,
# Allow accessing the GNOME crypto services prompt APIs as used by
# applications using libgcr (such as pinentry-gnome3) for secure pin
# entry to unlock GPG keys etc. See:
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
dbus send bus=session path=/org/gnome/keyring/Prompter
interface=org.gnome.keyring.internal.Prompter
member={BeginPrompting,PerformPrompt,StopPrompting}
peer=(name="{@{busname}", label=pinentry-*),
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
interface=org.gnome.keyring.internal.Prompter.Callback
member={PromptReady,PromptDone}
peer=(name="{@{busname}", label=pinentry-*),
# Allow read access to toplevel $HOME & mounts for the user.
prompt owner @{HOME}/ r,
prompt owner @{MOUNTS}/ r,
# Allow read/write access to all files in @{HOME}, except snap application
# data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
prompt owner @{HOME}/[^s.]** rwlk,
prompt owner @{HOME}/s[^n]** rwlk,
prompt owner @{HOME}/sn[^a]** rwlk,
prompt owner @{HOME}/sna[^p]** rwlk,
prompt owner @{HOME}/snap[^/]** rwlk,
prompt owner @{HOME}/{s,sn,sna}{,/} rwlk,
# Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs)
# for non-hidden files owned by the user.
prompt owner @{MOUNTS}/[^.]** rwlk,
# Disallow writes to the well-known directory included in
# the user's PATH on several distributions
audit deny @{HOME}/bin/{,**} wl,
audit deny @{HOME}/bin wl,
include if exists <abstractions/user-data.d>
# vim:syntax=apparmor
All is good, paste below
Alright, thanks, everyone. Good to know nothing is broken on my end. 