[pkg-apparmor] Bug#1121917: apparmor: Kernel version out of sync / doesn't conform to protocol

C. W. cw at aon.at
Mon Feb 9 16:47:29 GMT 2026 

Package: apparmor
Version: 4.1.3-1
Followup-For: Bug #1121917
X-Debbugs-Cc: cw at aon.at

Hello,

first I'm very sorry for reacting slowly, and thank you for your responses. (I
didn't notice them until this weekend, for some reason).

To make it short, good news: The bug still exists with the latest sid packages,
but Mr. Johansens upstream commits/merges over the last few weeks fixes it. As
there is a v5.0.0-alpha6 around, probably we'll see a new release soon, and
putting that into sid will resolve everything.

As I found some time on the weekend to narrow it down, just to notice the fix
later: For the record, the actual main bug was in userland apparmor_parser, but
happens only if the kernel apparmorfs exposes
/sys/kernel/security/apparmor/features/policy/permstable32_version > 1, which
happens with kernel commit 2e12c5f060176ede209673e4f63ea5d0e3c5814c . Current
stable kernel doesn't do this yet. If this is the case, the parser compiles
some types of rulesets wrong, in a way that make the kernel checks on importing
fail (in policy_unpack.c, function unpack_perms_table, the AA_ARRAYEND part). I
can upload some example file if someone still wants one, but as mentioned,
there's a fix already.

Have a nice day everyone,



-- System Information:
Debian Release: forky/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.18.8+deb14-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.91
ii  libc6                  2.42-11+b1

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles-extra  <none>
ii  apparmor-utils           4.1.3-1

-- Configuration Files:
/etc/apparmor.d/firefox changed [not included]
/etc/apparmor.d/tunables/home changed [not included]

-- debconf information excluded

More information about the pkg-apparmor-team mailing list