Forum: >>> Magnum BBS <<<

Bug#1108918: apparmor complains "too many states" on start, hanging boo

From Athanasius@21:1/5 to All on Mon Jul 7 21:40:01 2025

Package: apparmor
Version: 4.1.0-1
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?

*** End of the template - remove these template lines ***
I just upgraded this system from bookworm to trixie. Upon rebooting apparmor.service takes 1m25s to clear, with the following logged once
boot completes:

Jul 07 16:52:33 emilia apparmor.systemd[1394]: Too many states (113602) for type state_t
Jul 07 16:52:33 emilia apparmor.systemd[1281]: Error: At least one profile failed to load

I can't find any reference to that 'Too many states' message on either DuckDuckGo or Google.
This is mostly using my own compiled, .deb packaged, kernel, currently
using 6.12.36 sources, *but* there's no change in the behaviour using 6.12.33+deb13-amd64 from trixie.
There was no such problem under bookworm.

Is there some kernel, or otherwise, tunable that needs increasing? Or
do I have some profile that is blowing things up ? `aa-status` shows
plenty of profiles loaded, with various processes in various enforce/complain/etc modes.

The `Kernel taint flags: TAINT_OOT_MODULE` below is due to the nvidia
binary GPU modules.

-- System Information:
Debian Release: 13.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.36-athan (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii debconf [debconf-2.0] 1.5.91
ii libc6 2.41-9

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn apparmor-profiles-extra <none>
ii apparmor-utils 4.1.0-1

-- Configuration Files:
/etc/apparmor.d/tunables/home.d/site.local changed:
@{HOMEDIRS}+=/home/users/

-- debconf information:
* apparmor/homedirs: /home/users/

--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From intrigeri@21:1/5 to All on Tue Jul 8 10:50:02 2025

Control: tag -1 + moreinfo

Hi Athanasius,

Athanasius (2025-07-07):

Jul 07 16:52:33 emilia apparmor.systemd[1394]: Too many states (113602) for type state_t
Jul 07 16:52:33 emilia apparmor.systemd[1281]: Error: At least one profile failed to load

This seems to come from: https://sources.debian.org/src/apparmor/4.1.0-1/parser/libapparmor_re/chfa.cc/?hl=418#L418

I'm wondering if 1 specific profile is causing this, or if the
accumulation of all profiles caused it. To debug this you could:

1. Unload all profiles: run aa-teardown

2. Load profiles 1 after the other using apparmor_parser

But if you've installed extra 3rd-party profiles yourselves, a quicker
next step could be to remove them and try to reproduce the bug.

Cheers,
--
intrigeri

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Athanasius@21:1/5 to intrigeri on Tue Jul 8 14:10:01 2025

On Tue, Jul 08, 2025 at 10:47:37AM +0200, intrigeri wrote:

Control: tag -1 + moreinfo

Hi Athanasius,

Athanasius (2025-07-07):

Jul 07 16:52:33 emilia apparmor.systemd[1394]: Too many states (113602) for type state_t
Jul 07 16:52:33 emilia apparmor.systemd[1281]: Error: At least one profile failed to load

This seems to come from: https://sources.debian.org/src/apparmor/4.1.0-1/parser/libapparmor_re/chfa.cc/?hl=418#L418

I'm wondering if 1 specific profile is causing this, or if the
accumulation of all profiles caused it. To debug this you could:

1. Unload all profiles: run aa-teardown

2. Load profiles 1 after the other using apparmor_parser

But if you've installed extra 3rd-party profiles yourselves, a quicker
next step could be to remove them and try to reproduce the bug.

Thanks for your response. I'll reboot with apparmor actually enabled
this afternoon and see if I can track down a specific profile that, or the accumulated point at which, it breaks.

For now, here's the output of:

$ cd /etc
$ find apparmor.d -type f -exec dpkg -S /etc/{} \; 2>&1 | sort

As you'll see, I *do* have some third-party things installed that have profiles, I've not checked if they supplied them or if Debian's apparmor helpfully provided such "just in case". "Discord" is a definite
example. I also have both the Debian LibreOffice *and* the very latest
from upstream installed (the latter installs into /opt, but is via .deb
files so might be placing profiles in /etc/apparmor.d).
Yes, I'm wondering why I still have those `kernel-5.4-*` files....

--------------------------------------------------------------------------- apparmor: /etc/apparmor.d/1password
apparmor: /etc/apparmor.d/Discord
apparmor: /etc/apparmor.d/MongoDB_Compass
apparmor: /etc/apparmor.d/QtWebEngineProcess
apparmor: /etc/apparmor.d/Xorg
apparmor: /etc/apparmor.d/abi/3.0
apparmor: /etc/apparmor.d/abi/4.0
apparmor: /etc/apparmor.d/abi/kernel-5.4-outoftree-network
apparmor: /etc/apparmor.d/abi/kernel-5.4-vanilla
apparmor: /etc/apparmor.d/abstractions/X
apparmor: /etc/apparmor.d/abstractions/apache2-common
apparmor: /etc/apparmor.d/abstractions/apparmor_api/change_profile
apparmor: /etc/apparmor.d/abstractions/apparmor_api/examine
apparmor: /etc/apparmor.d/abstractions/apparmor_api/find_mountpoint
apparmor: /etc/apparmor.d/abstractions/apparmor_api/introspect
apparmor: /etc/apparmor.d/abstractions/apparmor_api/is_enabled
apparmor: /etc/apparmor.d/abstractions/aspell
apparmor: /etc/apparmor.d/abstractions/audio
apparmor: /etc/apparmor.d/abstractions/authentication
apparmor: /etc/apparmor.d/abstractions/base
apparmor: /etc/apparmor.d/abstractions/bash
apparmor: /etc/apparmor.d/abstractions/consoles
apparmor: /etc/apparmor.d/abstractions/crypto
apparmor: /etc/apparmor.d/abstractions/cups-client
apparmor: /etc/apparmor.d/abstractions/dbus
apparmor: /etc/apparmor.d/abstractions/dbus-accessibility
apparmor: /etc/apparmor.d/abstractions/dbus-accessibility-strict
apparmor: /etc/apparmor.d/abstractions/dbus-network-manager-strict
apparmor: /etc/apparmor.d/abstractions/dbus-session
apparmor: /etc/apparmor.d/abstractions/dbus-session-strict
apparmor: /etc/apparmor.d/abstractions/dbus-strict
apparmor: /etc/apparmor.d/abstractions/dconf
apparmor: /etc/apparmor.d/abstractions/devices-usb
apparmor: /etc/apparmor.d/abstractions/devices-usb-read
apparmor: /etc/apparmor.d/abstractions/dovecot-common
apparmor: /etc/apparmor.d/abstractions/dri-common
apparmor: /etc/apparmor.d/abstractions/dri-enumerate
apparmor: /etc/apparmor.d/abstractions/enchant
apparmor: /etc/apparmor.d/abstractions/exo-open
apparmor: /etc/apparmor.d/abstractions/fcitx
apparmor: /etc/apparmor.d/abstractions/fcitx-strict
apparmor: /etc/apparmor.d/abstractions/fonts
apparmor: /etc/apparmor.d/abstractions/freedesktop.org
apparmor: /etc/apparmor.d/abstractions/gio-open
apparmor: /etc/apparmor.d/abstractions/gnome
apparmor: /etc/apparmor.d/abstractions/gnupg
apparmor: /etc/apparmor.d/abstractions/groff
apparmor: /etc/apparmor.d/abstractions/gtk
apparmor: /etc/apparmor.d/abstractions/gvfs-open
apparmor: /etc/apparmor.d/abstractions/hosts_access
apparmor: /etc/apparmor.d/abstractions/ibus
apparmor: /etc/apparmor.d/abstractions/kde
apparmor: /etc/apparmor.d/abstractions/kde-globals-write
apparmor: /etc/apparmor.d/abstractions/kde-icon-cache-write
apparmor: /etc/apparmor.d/abstractions/kde-language-write
apparmor: /etc/apparmor.d/abstractions/kde-open5
apparmor: /etc/apparmor.d/abstractions/kerberosclient
apparmor: /etc/apparmor.d/abstractions/ldapclient
apparmor: /etc/apparmor.d/abstractions/libpam-systemd
apparmor: /etc/apparmor.d/abstractions/likewise
apparmor: /etc/apparmor.d/abstractions/mdns
apparmor: /etc/apparmor.d/abstractions/mesa
apparmor: /etc/apparmor.d/abstractions/mir
apparmor: /etc/apparmor.d/abstractions/mozc
apparmor: /etc/apparmor.d/abstractions/mysql
apparmor: /etc/apparmor.d/abstractions/nameservice
apparmor: /etc/apparmor.d/abstractions/nameservice-strict
apparmor: /etc/apparmor.d/abstractions/nis
apparmor: /etc/apparmor.d/abstractions/nss-systemd
apparmor: /etc/apparmor.d/abstractions/nvidia
apparmor: /etc/apparmor.d/abstractions/opencl
apparmor: /etc/apparmor.d/abstractions/opencl-common
apparmor: /etc/apparmor.d/abstractions/opencl-intel
apparmor: /etc/apparmor.d/abstractions/opencl-mesa
apparmor: /etc/apparmor.d/abstractions/opencl-nvidia
apparmor: /etc/apparmor.d/abstractions/opencl-pocl
apparmor: /etc/apparmor.d/abstractions/openssl
apparmor: /etc/apparmor.d/abstractions/orbit2
apparmor: /etc/apparmor.d/abstractions/p11-kit
apparmor: /etc/apparmor.d/abstractions/perl
apparmor: /etc/apparmor.d/abstractions/php
apparmor: /etc/apparmor.d/abstractions/php-worker
apparmor: /etc/apparmor.d/abstractions/php5
apparmor: /etc/apparmor.d/abstractions/postfix-common
apparmor: /etc/apparmor.d/abstractions/private-files
apparmor: /etc/apparmor.d/abstractions/private-files-strict
apparmor: /etc/apparmor.d/abstractions/python
apparmor: /etc/apparmor.d/abstractions/qt5
apparmor: /etc/apparmor.d/abstractions/qt5-compose-cache-write
apparmor: /etc/apparmor.d/abstractions/qt5-settings-write
apparmor: /etc/apparmor.d/abstractions/qt6
apparmor: /etc/apparmor.d/abstractions/qt6-compose-cache-write
apparmor: /etc/apparmor.d/abstractions/qt6-settings-write
apparmor: /etc/apparmor.d/abstractions/recent-documents-write
apparmor: /etc/apparmor.d/abstractions/ruby
apparmor: /etc/apparmor.d/abstractions/samba
apparmor: /etc/apparmor.d/abstractions/samba-rpcd
apparmor: /etc/apparmor.d/abstractions/smbpass
apparmor: /etc/apparmor.d/abstractions/snap_browsers
apparmor: /etc/apparmor.d/abstractions/ssl_certs
apparmor: /etc/apparmor.d/abstractions/ssl_keys
apparmor: /etc/apparmor.d/abstractions/svn-repositories
apparmor: /etc/apparmor.d/abstractions/terminfo
apparmor: /etc/apparmor.d/abstractions/transmission-common
apparmor: /etc/apparmor.d/abstractions/trash
apparmor: /etc/apparmor.d/abstractions/ubuntu-bittorrent-clients
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/java
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/kde
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/mailto
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul apparmor: /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files
apparmor: /etc/apparmor.d/abstractions/ubuntu-console-browsers
apparmor: /etc/apparmor.d/abstractions/ubuntu-console-email
apparmor: /etc/apparmor.d/abstractions/ubuntu-email
apparmor: /etc/apparmor.d/abstractions/ubuntu-feed-readers
apparmor: /etc/apparmor.d/abstractions/ubuntu-gnome-terminal
apparmor: /etc/apparmor.d/abstractions/ubuntu-helpers
apparmor: /etc/apparmor.d/abstractions/ubuntu-konsole
apparmor: /etc/apparmor.d/abstractions/ubuntu-media-players
apparmor: /etc/apparmor.d/abstractions/ubuntu-unity7-base
apparmor: /etc/apparmor.d/abstractions/ubuntu-unity7-launcher
apparmor: /etc/apparmor.d/abstractions/ubuntu-unity7-messaging
apparmor: /etc/apparmor.d/abstractions/ubuntu-xterm
apparmor: /etc/apparmor.d/abstractions/user-download
apparmor: /etc/apparmor.d/abstractions/user-mail
apparmor: /etc/apparmor.d/abstractions/user-manpages
apparmor: /etc/apparmor.d/abstractions/user-tmp
apparmor: /etc/apparmor.d/abstractions/user-write
apparmor: /etc/apparmor.d/abstractions/video
apparmor: /etc/apparmor.d/abstractions/vulkan
apparmor: /etc/apparmor.d/abstractions/wayland
apparmor: /etc/apparmor.d/abstractions/web-data
apparmor: /etc/apparmor.d/abstractions/winbind
apparmor: /etc/apparmor.d/abstractions/wutmp
apparmor: /etc/apparmor.d/abstractions/xad
apparmor: /etc/apparmor.d/abstractions/xdg-desktop
apparmor: /etc/apparmor.d/abstractions/xdg-open
apparmor: /etc/apparmor.d/balena-etcher
apparmor: /etc/apparmor.d/brave
apparmor: /etc/apparmor.d/buildah
apparmor: /etc/apparmor.d/busybox
apparmor: /etc/apparmor.d/cam
apparmor: /etc/apparmor.d/ch-checkns
apparmor: /etc/apparmor.d/ch-run
apparmor: /etc/apparmor.d/chrome
apparmor: /etc/apparmor.d/chromium
apparmor: /etc/apparmor.d/code
apparmor: /etc/apparmor.d/crun
apparmor: /etc/apparmor.d/devhelp
apparmor: /etc/apparmor.d/element-desktop
apparmor: /etc/apparmor.d/epiphany
apparmor: /etc/apparmor.d/evolution
apparmor: /etc/apparmor.d/firefox
apparmor: /etc/apparmor.d/flatpak
apparmor: /etc/apparmor.d/foliate
apparmor: /etc/apparmor.d/geary
apparmor: /etc/apparmor.d/github-desktop
apparmor: /etc/apparmor.d/goldendict
apparmor: /etc/apparmor.d/ipa_verify
apparmor: /etc/apparmor.d/kchmviewer
apparmor: /etc/apparmor.d/keybase
apparmor: /etc/apparmor.d/lc-compliance
apparmor: /etc/apparmor.d/libcamerify
apparmor: /etc/apparmor.d/linux-sandbox
apparmor: /etc/apparmor.d/local/README
apparmor: /etc/apparmor.d/loupe
apparmor: /etc/apparmor.d/lsb_release
apparmor: /etc/apparmor.d/lxc-attach
apparmor: /etc/apparmor.d/lxc-create
apparmor: /etc/apparmor.d/lxc-destroy
apparmor: /etc/apparmor.d/lxc-execute
apparmor: /etc/apparmor.d/lxc-stop
apparmor: /etc/apparmor.d/lxc-unshare
apparmor: /etc/apparmor.d/lxc-usernsexec
apparmor: /etc/apparmor.d/mmdebstrap
apparmor: /etc/apparmor.d/msedge
apparmor: /etc/apparmor.d/nautilus
apparmor: /etc/apparmor.d/notepadqq
apparmor: /etc/apparmor.d/nvidia_modprobe
apparmor: /etc/apparmor.d/obsidian
apparmor: /etc/apparmor.d/opam
apparmor: /etc/apparmor.d/opera
apparmor: /etc/apparmor.d/pageedit
apparmor: /etc/apparmor.d/plasmashell
apparmor: /etc/apparmor.d/polypane
apparmor: /etc/apparmor.d/privacybrowser
apparmor: /etc/apparmor.d/qcam
apparmor: /etc/apparmor.d/qmapshack
apparmor: /etc/apparmor.d/qutebrowser
apparmor: /etc/apparmor.d/rootlesskit
apparmor: /etc/apparmor.d/rpm
apparmor: /etc/apparmor.d/rssguard
apparmor: /etc/apparmor.d/runc
apparmor: /etc/apparmor.d/sbuild
apparmor: /etc/apparmor.d/sbuild-abort
apparmor: /etc/apparmor.d/sbuild-adduser
apparmor: /etc/apparmor.d/sbuild-apt
apparmor: /etc/apparmor.d/sbuild-checkpackages
apparmor: /etc/apparmor.d/sbuild-clean
apparmor: /etc/apparmor.d/sbuild-createchroot
apparmor: /etc/apparmor.d/sbuild-destroychroot
apparmor: /etc/apparmor.d/sbuild-distupgrade
apparmor: /etc/apparmor.d/sbuild-hold
apparmor: /etc/apparmor.d/sbuild-shell
apparmor: /etc/apparmor.d/sbuild-unhold
apparmor: /etc/apparmor.d/sbuild-update
apparmor: /etc/apparmor.d/sbuild-upgrade
apparmor: /etc/apparmor.d/scide
apparmor: /etc/apparmor.d/signal-desktop
apparmor: /etc/apparmor.d/slack
apparmor: /etc/apparmor.d/slirp4netns
apparmor: /etc/apparmor.d/steam
apparmor: /etc/apparmor.d/stress-ng
apparmor: /etc/apparmor.d/surfshark
apparmor: /etc/apparmor.d/systemd-coredump
apparmor: /etc/apparmor.d/toybox
apparmor: /etc/apparmor.d/transmission
apparmor: /etc/apparmor.d/trinity
apparmor: /etc/apparmor.d/tunables/alias
apparmor: /etc/apparmor.d/tunables/apparmorfs
apparmor: /etc/apparmor.d/tunables/dovecot
apparmor: /etc/apparmor.d/tunables/etc
apparmor: /etc/apparmor.d/tunables/global
apparmor: /etc/apparmor.d/tunables/home
apparmor: /etc/apparmor.d/tunables/home.d/site.local
apparmor: /etc/apparmor.d/tunables/kernelvars
apparmor: /etc/apparmor.d/tunables/multiarch
apparmor: /etc/apparmor.d/tunables/multiarch.d/site.local
apparmor: /etc/apparmor.d/tunables/proc
apparmor: /etc/apparmor.d/tunables/run
apparmor: /etc/apparmor.d/tunables/securityfs
apparmor: /etc/apparmor.d/tunables/share
apparmor: /etc/apparmor.d/tunables/sys
apparmor: /etc/apparmor.d/tunables/system
apparmor: /etc/apparmor.d/tunables/xdg-user-dirs
apparmor: /etc/apparmor.d/tup
apparmor: /etc/apparmor.d/tuxedo-control-center
apparmor: /etc/apparmor.d/unix-chkpwd
apparmor: /etc/apparmor.d/unprivileged_userns
apparmor: /etc/apparmor.d/userbindmount
apparmor: /etc/apparmor.d/uwsgi-core
apparmor: /etc/apparmor.d/vdens
apparmor: /etc/apparmor.d/virtiofsd
apparmor: /etc/apparmor.d/vivaldi-bin
apparmor: /etc/apparmor.d/vpnns
apparmor: /etc/apparmor.d/wike
apparmor: /etc/apparmor.d/wpcom
cups-browsed: /etc/apparmor.d/usr.sbin.cups-browsed
cups-daemon: /etc/apparmor.d/usr.sbin.cupsd
dpkg-query: no path found matching pattern /etc/apparmor.d/local/lsb_release dpkg-query: no path found matching pattern /etc/apparmor.d/local/nvidia_modprobe
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.bin.evince dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.bin.man dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.bin.tcpdump
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.bin.thunderbird
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.lib.libreoffice.program.oosplash
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.lib.libreoffice.program.senddoc
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.lib.libreoffice.program.soffice.bin
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.lib.libreoffice.program.xpdfimport
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.libexec.geoclue
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.sbin.cups-browsed
dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.sbin.cupsd dpkg-query: no path found matching pattern /etc/apparmor.d/local/usr.sbin.ntpd dpkg-query: no path found matching pattern /etc/apparmor.d/samba/smbd-shares dpkg-query: no path found matching pattern /etc/apparmor.d/tunables/home.d/ubuntu
dpkg-query: no path found matching pattern /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
evince: /etc/apparmor.d/abstractions/evince
evince: /etc/apparmor.d/usr.bin.evince
geoclue-2.0: /etc/apparmor.d/usr.libexec.geoclue
libreoffice-common: /etc/apparmor.d/usr.lib.libreoffice.program.oosplash libreoffice-common: /etc/apparmor.d/usr.lib.libreoffice.program.senddoc libreoffice-common: /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin libreoffice-common: /etc/apparmor.d/usr.lib.libreoffice.program.xpdfimport lightdm: /etc/apparmor.d/abstractions/lightdm
lightdm: /etc/apparmor.d/abstractions/lightdm_chromium-browser
lightdm: /etc/apparmor.d/lightdm-guest-session
man-db: /etc/apparmor.d/usr.bin.man
ntpsec: /etc/apparmor.d/tunables/ntpd
ntpsec: /etc/apparmor.d/usr.sbin.ntpd
tcpdump: /etc/apparmor.d/usr.bin.tcpdump
thunderbird: /etc/apparmor.d/usr.bin.thunderbird ---------------------------------------------------------------------------
--
- Athanasius (he/him) = Athanasius(at)miggy.org / https://miggy.org/
GPG/PGP Key: https://miggy.org/gpg-key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Athanasius@21:1/5 to Athanasius on Tue Jul 8 14:40:01 2025

On Tue, Jul 08, 2025 at 12:44:25PM +0100, Athanasius wrote:

On Tue, Jul 08, 2025 at 10:47:37AM +0200, intrigeri wrote:

Control: tag -1 + moreinfo

Hi Athanasius,

Athanasius (2025-07-07):

Jul 07 16:52:33 emilia apparmor.systemd[1394]: Too many states (113602) for type state_t
Jul 07 16:52:33 emilia apparmor.systemd[1281]: Error: At least one profile failed to load

This seems to come from: https://sources.debian.org/src/apparmor/4.1.0-1/parser/libapparmor_re/chfa.cc/?hl=418#L418

I'm wondering if 1 specific profile is causing this, or if the
accumulation of all profiles caused it. To debug this you could:

1. Unload all profiles: run aa-teardown

2. Load profiles 1 after the other using apparmor_parser

But if you've installed extra 3rd-party profiles yourselves, a quicker
next step could be to remove them and try to reproduce the bug.

Thanks for your response. I'll reboot with apparmor actually enabled
this afternoon and see if I can track down a specific profile that, or the accumulated point at which, it breaks.

example. I also have both the Debian LibreOffice *and* the very latest
from upstream installed (the latter installs into /opt, but is via .deb
files so might be placing profiles in /etc/apparmor.d).

So, I decided to clean that up, by removing the Debian LibreOffice
packages. That results in *no* apparmor profiles for the suite at all:

root@emilia:~;
13:28:13 0$ cd /etc/apparmor.d
root@emilia:/etc/apparmor.d;
13:29:31 0$ find . -name \*libreoffice\*
root@emilia:/etc/apparmor.d;
13:29:32 0$

And on next boot without `apparmor=0` the problem did not manifest.

So, this is either a problem specific to the libreoffice apparmor
profiles, or them pushing it over some limit.

I do still have the upstream packages for LibreOffice 25.2.4.3, but
they don't appear to provide any apparmor profiles. Running:

for i in * ; do echo $i: ; dpkg-deb --contents $i ; done | less

where I downloaded and unpacked the .deb files confirms this. So, this
wasn't a doubling up (would have been with different file paths) of
libreoffice rules.

Whether this is an overall limit or per profile, I'm curious if that
would be specific to apparmor, or in some kernel subsystem it uses,
e.g. possibly BPF (guess from my position of ignorance), and maybe
tunable ?

--
- Athanasius (he/him) = Athanasius(at)miggy.org / https://miggy.org/
GPG/PGP Key: https://miggy.org/gpg-key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Yokzimo
  Tue Jun 9 17:10:05 2026
  from Sw via Telnet
- Regen
  Tue Jun 9 16:45:02 2026
  from Brooklyn, Ny via Telnet
- Bob Worm
  Tue Jun 9 14:47:58 2026
  from Wales, Uk via Telnet
- Krenn
  Tue Jun 9 11:18:15 2026
  from Sydney, Nsw via Telnet
- Bob Worm
  Tue Jun 9 10:31:07 2026
  from Wales, Uk via Telnet
- Centurion
  Mon Jun 8 23:30:43 2026
  from Berea, Ohio via Telnet
- Centurion
  Mon Jun 8 21:33:11 2026
  from Berea, Ohio via Telnet
- Bob Worm
  Mon Jun 8 20:15:00 2026
  from Wales, Uk via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	716
Nodes:	16 (2 / 14)
Uptime:	51:23:48
Calls:	12,115
Calls today:	6
Files:	15,010
Messages:	6,518,566
Posted today:	1

Bug#1108918: apparmor complains "too many states" on start, hanging boo

Who's Online

Recent Visitors

System Info