You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Strictly speaking we do not need any means of 3rd party hardening on runners (selinux/apparmor) so lets just disable it so it does not change system's behaviour.
@mikhailkoliada Note that systemctl stop apparmor.service was not sufficient in my case and only running aa-teardown fully disabled apparmor. Note that the exit status of aa-teardown has to be ignored because of https://gitlab.com/apparmor/apparmor/-/issues/403.
@DaanDeMeyer oh, it is a good catch, but does aa-teardown saves its states somehow anywhere? I mean we reboot the vm even during the build process several times so if it does not save its state we'll have to patch it different way if aa-teardown does not survive reboots :(
@mikhailkoliada I am not sure, I'm not very familiar with apparmor. As a workaround I currently run aa-teardown and then uninstall the apparmor package. That would prevent anything from ever getting enabled again. Note that snapd has a hard dependency on apparmor so it would be uninstalled as well, not sure if that's acceptable for the base images.
@DaanDeMeyer hmm, from what I've read in the docs aa-teardown is indeed needed to unload apparmor profiles but it seems if only you do not need / want to reboot your system while we can just reboot. I'm gonna run more tests to see if disabling on systemd's side + reboot does the trick.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mikhailkoliada
force-pushed
the
ubuntu_disable_apparmor
branch
from
Description
Strictly speaking we do not need any means of 3rd party hardening on runners (selinux/apparmor) so lets just disable it so it does not change system's behaviour.
Related issue: #10015
Check list