#995367 Re-enable apparmor on Debian Live?

Package:
apparmor
Source:
apparmor
Description:
user-space parser utility for AppArmor
Submitter:
"Trent W. Buck"
Date:
2026-02-11 15:35:02 UTC
Severity:
wishlist
Tags:
#995367#5
Date:
2021-09-30 10:42:53 UTC
From:
To:
When booting with boot=live (live-boot-initramfs-tools), apparmor is disabled:

https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/experimental/debian/apparmor.service#L17
https://salsa.debian.org/apparmor-team/apparmor/-/commit/675a4d80a9147c7278577d8043f885099db403a9
https://bugs.debian.org/922378

It's easy to miss this and think you're protected;
"systemctl --state=failed" doesn't say apparmor.service failed.
You have to notice that "aa-status" doesn't mention any profiles are loaded.

This affects not only pre-built Debian Live images, but also
abnormal people who run the same Debian install,
sometimes with "boot=local", and
sometimes with "boot=live" (so reboot will auto-rollback the OS).

I think this workaround is not necessary anymore!
apparmor works on Debian 11 Live!
(At least for msmtp; I have not tested evince & libreoffice yet.)

    # NOTE: policy says msmtp can run /bin/cat but not /bin/tac:

    root@main:~# msmtp --host=smtp.gmail.com --tls=on --port=587 --auto-from=on --auth=on --user=THIS-IS-A-TEST --passwordeval='tac /etc/services' root <<< test
    sh: 1: tac: Permission denied
    msmtp: cannot read output of 'tac /etc/services'

    Sep 30 20:34:33 main.lan kernel: audit: type=1400 audit(1632998073.404:35): apparmor="DENIED" operation="exec" profile="msmtp//helpers" name="/usr/bin/tac" pid=3112 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

    root@main:~# msmtp --host=smtp.gmail.com --tls=on --port=587 --auto-from=on --auth=on --user=THIS-IS-A-TEST --passwordeval='cat /etc/services' root <<< test
    msmtp: authentication failed (method PLAIN)
    msmtp: server message: 535-5.7.8 Username and Password not accepted. Learn more at
    msmtp: server message: 535 5.7.8  https://support.google.com/mail/?p=BadCredentials z22sm2054254pgn.81 - gsmtp
    msmtp: could not send mail


A fuller transcript it attached.
The Debian Live image was built & booted using
https://github.com/cyberitsolutions/bootstrap2020/blob/main/debian-11-minimal.py

#995367#10
Date:
2021-09-30 11:14:29 UTC
From:
To:
The original bug report complained about LibreOffice and Evince.
I tested those specifically.

LibreOffice is in "complain" mode.
It's rules fail, but there is no user-visible impact.

Evince is in "enforce" mode.
I couldn't generate an error by just opening PDFs, saving them, and printing them (to files).

Is this a sufficient test?
I can do a bit more, but I don't want to exhaustively test EVERY app with a profile. :-)

#995367#15
Date:
2022-02-14 07:57:57 UTC
From:
To:
Hi,

Trent W. Buck (2021-09-30):

Interesting!

I was not surprised that msmtp works because its profile has
attach_disconnected, but the Evince and LibreOffice don't have that
kludge so I'm surprised they work.

It's definitely a sufficient test to give some hope!

Could you please test this with some LUKS-encrypted persistence mounts,
e.g. make ~/.gnupg persistent and check that AppArmor correctly
forbids access to the persistent files in there, both when accessed
via ~/.gnupg and via the mountpoint of the persistent filesystem?

Cheers!