So I own a Microsoft Surface Go that I installed with Ubuntu, because of so many reasons. Anyhow, to make a lot of the parts of the tablet work with Ubuntu I installed a custom kernel from Linux-Surface repository specially for the touch screen and better performance in general.
Anyhow, for some reason the other day it got hook into a boot loop. It tries to start but you only see the animation going around and around. Quick check pressing a cursor key in a connected physical keyboard shows that apparmor service is trying to start for a long time and it will infinitely wait until it start or kill the battery.
Apparmor is quite an important part of Ubuntu, it control which application has access to which files on the system. Similar to what a firewall does with the network, but internally. This is a great tool to protect against ransomware attacks for example, not allowing an application to access other parts of the system. So you really want it to start first as soon as possible, and not start other parts of the system until it’s functional. That discard disabling it, uninstalling it, putting a timeout in the service or similar solutions. We have to fix it properly.
Worth to mention that the system booted fine with an older version of the kernel (5.19.0) but newer version (6.x) didn’t boot, I tried a few (6.2.2 was the last one available today but also with 6.0.9). This was weird since apparmor is not part of the kernel, and it’s still puzzling me.
So from a kernel version 5, I looked at the journal of the apparmor service with the command:
journalctl -u apparmor.serviceWent to the end of the journal pressing capital G in the keyboard, and checked the last errors. Obviously the last boot with kernel 5.x didn’t have errors, but the previous ones with kernel 6.x had some. The only way to know if the errors happened with one or the other kernel is to know that the time showed in the journal correspond to a moment you booted with that specific kernel.
In my case one error was:
Error: Could not replace profile /var/cache/apparmor/8eeb6286.0/usr.lib.quake4.quake4.x86: No such file or directoryYou might wonder if I play Quake4 on the Surface Go, and no I don’t but I installed gnome-games and probably this is one of them. I use to play it, but I moved on and the tablet is probably not my prefer computer to play it.
Since I don’t need to play the game or break it, I tried to disable this apparmor profile or set of rules, by moving the file to the disable folder:
mv /etc/apparmor.d/usr.lib.quake4.quake4.x86 /etc/apparmor.d/disable/And surprisingly as simple of that the tablet booted with kernel 6.2.2 without problems. It probably need a better fix on the apparmor profile for Quake4 but I have no intention to use any time soon. That’s a problem for future me.
I thought this was not worth of creating an issue in the Linux-Surface repository, it might not be an issue of the kernel but an issue of the apparmor profile. And it seemed like no body else had the problem before looking at the open and closed issues.
So I wrote this down in case someone has a similar problem, and find this article.