这里的问题有点重叠。我试图在系统范围内禁用 AppArmor。执行此操作后:
sudo systemctl stop apparmor
sudo systemctl disable apparmor
重新启动后,我有:
❯❯ sudo aa-status | egrep '^[0-9]'
48 profiles are loaded.
41 profiles are in enforce mode.
7 profiles are in complain mode.
0 profiles are in prompt mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
17 processes have profiles defined.
17 processes are in enforce mode.
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
❯❯ sudo aa-enabled
Yes
❯❯ sudo systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; disabled; preset: enabled)
Active: inactive (dead)
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
如果我做了一些违反策略的事情(在我的情况下,创建了一个用户命名空间),我会在内核日志中看到这样的内容,这似乎证实了 AppArmor 是有效的:
[ 942.570952] audit: type=1400 audit(1735492407.323:89): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=6227 comm="python" requested="userns_create" denied="userns_create" target="unprivileged_userns"