[debian-mysql] Bug#1130272: Bug#1130272: Bug#1130272: mariadb-server: mariadbd AppArmor profile denies MTR accesses in enforce mode

Otto Kekäläinen otto at debian.org
Thu Mar 12 09:20:18 GMT 2026 

Hi!,

In branch https://salsa.debian.org/otto/mariadb-server/-/commits/feature/autopkgtest-apparmor
I modified the autopkgtest to run the full test suite, and at the end
of it print out all AppArmor messages. After uploading that to a PPA
and triggering autopkgtest on Ubuntu/Launchpad I got
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute-mysql-ubuntu-mariadb/resolute/amd64/m/mariadb/20260312_062925_75a14@/log.gz

We can see that this is the state of AppArmor on those
Ubuntu/Launchpad autopgktest runners and these are the warnings that
get issues by merely having the profile in 'complain' mode and
starting MariaDB:

4394s === AppArmor profile status ===
4394s    who
4394s    znc
4394s 3 profiles are in complain mode.
4394s    Xorg
4394s    Xorg_wrap
4394s    mariadbd
4394s 0 profiles are in prompt mode.
4394s 0 profiles are in kill mode.
4394s 74 profiles are in unconfined mode.
4394s    1password
4394s    Discord
4394s --
4394s 3 processes are in enforce mode.
4394s    /usr/sbin/chronyd (882)
4394s    /usr/sbin/chronyd (889)
4394s    /usr/sbin/rsyslogd (885) rsyslogd
4394s 1 processes are in complain mode.
4394s    /usr/sbin/mariadbd (2271) mariadbd
4394s 0 processes are in prompt mode.
4394s 0 processes are in kill mode.
4394s 0 processes are unconfined but have a profile defined.
4394s 0 processes are in mixed mode.
4394s === AppArmor denials ===
4394s [   48.367999] audit: type=1400 audit(1773292648.734:178):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="mariadbd" pid=1699 comm="apparmor_parser"
4394s [   48.406349] audit: type=1400 audit(1773292648.773:179):
apparmor="STATUS" operation="profile_replace" info="same as current
profile, skipping" profile="unconfined" name="mariadbd" pid=1705
comm="apparmor_parser"
4394s [   48.970980] audit: type=1400 audit(1773292649.337:180):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/sys/block/" pid=1850 comm="mariadbd" requested_mask="r"
denied_mask="r" fsuid=985 ouid=0
4394s [   48.970997] audit: type=1400 audit(1773292649.337:181):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/sys/block/" pid=1850 comm="mariadbd"
requested_mask="r" denied_mask="r" fsuid=985 ouid=0
4394s [   48.971025] audit: type=1400 audit(1773292649.337:182):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/sys/devices/virtual/block/loop1/dev" pid=1850 comm="mariadbd"
requested_mask="r" denied_mask="r" fsuid=985 ouid=0
4394s [   48.971031] audit: type=1400 audit(1773292649.337:183):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/sys/devices/virtual/block/loop1/dev"
pid=1850 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=985
ouid=0
4394s [   48.971047] audit: type=1400 audit(1773292649.337:184):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/sys/devices/virtual/block/loop6/dev" pid=1850 comm="mariadbd"
requested_mask="r" denied_mask="r" fsuid=985 ouid=0
4394s [   48.971051] audit: type=1400 audit(1773292649.337:185):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/sys/devices/virtual/block/loop6/dev"
pid=1850 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=985
ouid=0
4394s [   48.971066] audit: type=1400 audit(1773292649.337:186):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/sys/devices/virtual/block/loop4/dev" pid=1850 comm="mariadbd"
requested_mask="r" denied_mask="r" fsuid=985 ouid=0
4394s [   48.971071] audit: type=1400 audit(1773292649.337:187):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/sys/devices/virtual/block/loop4/dev"
pid=1850 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=985
ouid=0
4394s [  450.351785] audit: type=1400 audit(1773293050.718:199):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/proc/2271/task/2274/comm" pid=2271 comm="mariadbd"
requested_mask="wr" denied_mask="wr" fsuid=985 ouid=985
4394s [  450.351797] audit: type=1400 audit(1773293050.718:200):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/proc/2271/task/2274/comm" pid=2271
comm="mariadbd" requested_mask="w" denied_mask="w" fsuid=985 ouid=985
4394s [  450.351842] audit: type=1400 audit(1773293050.718:201):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/proc/2271/task/2275/comm" pid=2271 comm="mariadbd"
requested_mask="wr" denied_mask="wr" fsuid=985 ouid=985
4394s [  450.351849] audit: type=1400 audit(1773293050.718:202):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/proc/2271/task/2275/comm" pid=2271
comm="mariadbd" requested_mask="w" denied_mask="w" fsuid=985 ouid=985
4394s [  450.351916] audit: type=1400 audit(1773293050.718:203):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/proc/sys/kernel/random/uuid" pid=2271 comm="mariadbd"
requested_mask="r" denied_mask="r" fsuid=985 ouid=0
4394s [  450.351931] audit: type=1400 audit(1773293050.718:204):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/proc/sys/kernel/random/uuid" pid=2271
comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=985 ouid=0
4394s [  450.352117] audit: type=1400 audit(1773293050.718:205):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/proc/sys/kernel/random/uuid" pid=2271 comm="mariadbd"
requested_mask="r" denied_mask="r" fsuid=985 ouid=0
4394s [  450.352128] audit: type=1400 audit(1773293050.718:206):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/proc/sys/kernel/random/uuid" pid=2271
comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=985 ouid=0
4394s [  450.373320] audit: type=1400 audit(1773293050.740:207):
apparmor="ALLOWED" operation="open" class="file" profile="mariadbd"
name="/sys/block/" pid=2271 comm="mariadbd" requested_mask="r"
denied_mask="r" fsuid=985 ouid=0
4394s [  450.373334] audit: type=1400 audit(1773293050.740:208):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="mariadbd" name="/sys/block/" pid=2271 comm="mariadbd"
requested_mask="r" denied_mask="r" fsuid=985 ouid=0

Surprisingly the whole --big-test run passes with zero failures:

8277s Completed: All 5576 tests were successful.
8277s
8277s 1103 tests were skipped, 325 by the test itself.

Of the complaints printed at the end of the log I did a sorted summary
with 'cut -d ' ' -f 11- apparmor-complaints-2026-03-12.txt | sort' and
attached here in case the link to the full log expires / gets purged.

I am currently testing AppArmor profile extensions on the same branch
linked above and maybe if I can get the test suite to run more than
just 5576 tests to get absolutely maximum coverage.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apparmor-complaints-2026-03-12_column_11_onwards_sorted.txt.xz
Type: application/x-xz
Size: 4444 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20260312/6b12052a/attachment-0001.xz>

More information about the pkg-mysql-maint mailing list