[pkg-apparmor] Bug#1108918: Bug#1108918: apparmor complains "too many states" on start, hanging boot for 1m25s

Athanasius debian at miggy.org
Tue Jul 8 13:37:33 BST 2025 

On Tue, Jul 08, 2025 at 12:44:25PM +0100, Athanasius wrote:
> On Tue, Jul 08, 2025 at 10:47:37AM +0200, intrigeri wrote:
> > Control: tag -1 + moreinfo
> > 
> > Hi Athanasius,
> > 
> > Athanasius (2025-07-07):
> > > Jul 07 16:52:33 emilia apparmor.systemd[1394]: Too many states (113602) for type state_t
> > > Jul 07 16:52:33 emilia apparmor.systemd[1281]: Error: At least one profile failed to load
> > 
> > This seems to come from:
> > https://sources.debian.org/src/apparmor/4.1.0-1/parser/libapparmor_re/chfa.cc/?hl=418#L418
> > 
> > I'm wondering if 1 specific profile is causing this, or if the
> > accumulation of all profiles caused it. To debug this you could:
> > 
> > 1. Unload all profiles: run aa-teardown
> > 
> > 2. Load profiles 1 after the other using apparmor_parser
> > 
> > But if you've installed extra 3rd-party profiles yourselves, a quicker
> > next step could be to remove them and try to reproduce the bug.
> 
>   Thanks for your response.  I'll reboot with apparmor actually enabled
> this afternoon and see if I can track down a specific profile that, or the
> accumulated point at which, it breaks.
> 
> example.  I also have both the Debian LibreOffice *and* the very latest
> from upstream installed (the latter installs into /opt, but is via .deb
> files so might be placing profiles in /etc/apparmor.d).

  So, I decided to clean that up, by removing the Debian LibreOffice
packages.  That results in *no* apparmor profiles for the suite at all:

root at emilia:~;
13:28:13 0$ cd /etc/apparmor.d
root at emilia:/etc/apparmor.d;
13:29:31 0$ find . -name \*libreoffice\*
root at emilia:/etc/apparmor.d;
13:29:32 0$ 

And on next boot without `apparmor=0` the problem did not manifest.

  So, this is either a problem specific to the libreoffice apparmor
profiles, or them pushing it over some limit.

  I do still have the upstream packages for LibreOffice 25.2.4.3, but
they don't appear to provide any apparmor profiles.  Running:

	for i in * ; do echo $i: ; dpkg-deb --contents $i ; done | less

where I downloaded and unpacked the .deb files confirms this.  So, this
wasn't a doubling up (would have been with different file paths) of
libreoffice rules.

  Whether this is an overall limit or per profile, I'm curious if that
would be specific to apparmor, or in some kernel subsystem it uses,
e.g. possibly BPF (guess from my position of ignorance), and maybe
tunable ?

-- 
- Athanasius (he/him) = Athanasius(at)miggy.org / https://miggy.org/
                  GPG/PGP Key: https://miggy.org/gpg-key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

More information about the pkg-apparmor-team mailing list