I have implemented a patch for this issue, but before submitting it, I
want to understand its origin to determine if other edge cases need to
be addressed.
Do you know which profile created this issue?
Perhaps running sudo grep -r "runbindable*/*" /etc/apparmor.d could help
identify the source of
So, the error was related to passt, not apparmor. This is because it
uses an incorrect rule in abstractions/passt.
By design, rules containing some options, such as runbindable, cannot
include a source.
I just sent the following patch for passt that should solve your issue
https://archives.passt.
@Christian Thank you for pointing this out. After investigation, I found
that this bug stems from the following restriction not being implemented
consistently in aa-* and apparmor_parser.
> $ man 2 mount
>
> If mountflags includes one of MS_SHARED, MS_PRIVATE, MS_SLAVE, or
> MS_UNBINDABLE [..
** Changed in: apparmor (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065685
Title:
aa-logprof fails with 'runbindable' error
To manage notifications a
This bug is fixed by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1345
** Changed in: apparmor
Assignee: (unassigned) => Maxime Bélair (mbelair)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.
This issue is fixed by 1f33fc9b29c174698fdf0116a4a9f50680ec4fdb, however
it is not included in the 4.0 branch used by noble. Oracular and Plucky
are not affected by this bug.
To fix that locally, you can either:
- Replace `mount "" -> "/tmp/",` by `mount -> "/tmp/",` (and similarly for
other em
Thank you for reporting this bug.
Indeed, we must give access to `/sys/devices/LNXSYSTM:*/LNXSYBUS:*/**`
to lsblk.
This should be fixed upstream by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1584
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Verification completed on oracular kernel linux-intel/6.11.0-1008.8
# lxc launch ubuntu:24.10 test -c security.nesting=true
Launching test
# lxc exec test bash
Linux test 6.11.0-1008-intel #8 SMP PREEMPT_DYNAMIC Wed Mar 19 16:31:19 CET
2025 x86_64 x86_64 x86_64 GNU/Linux
root@test:~# apt update;
Verification completed on oracular linux-intel/6.11.0-1008.8
user@sec-oracular-amd64:~$ uname -a
Linux sec-oracular-amd64 6.11.0-1008-intel #8 SMP PREEMPT_DYNAMIC Wed Mar 19
16:31:19 CET 2025 x86_64 x86_64 x86_64 GNU/Linux
user@sec-oracular-amd64:~$ journalctl -b | grep systemd | grep -i apparmo
The patch has been added today in the upstream repository and is
therefore not yet present in the current plucky release. Until the next
release, you can modify /etc/apparmor.d/lsblk like below
Replace `@{sys}/devices/LNXSYSTM:*/LNXSYBUS:*/** r,` by
`@{sys}/devices/**/host@{int}/** r,`
After relo
Verified that the patch was applied to branch linux-nvidia-
tegra/6.8.0-1004.4
** Tags removed: verification-needed-noble-linux-nvidia-tegra
** Tags added: verification-done-noble-linux-nvidia-tegra
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
The sanitized_helper profile is designed to be as generic as possible to
make it work with most binaries when a more restrictive profile is
unavailable.
As you pointed out, this approach raises several concerns:
- The security level of this profile is only slightly above unconfined, which
can u
Actually, this issue is not directly related to containers but to
delegations. Unconfined does object delegation of open descriptors. This
is not the case for confined profiles. So when lsblk is launched from a
confined process (the container), then the permission is required.
$ aa-exec -p Xorg -
This is fixed upstream by the following MR:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1632
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2107402
Title:
lsblk on IBM z Systems blocked by
Thanks for finding this issue
This should be fixed upstream by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1632
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2107455
Title:
segfault of ls
Public bug reported:
On Ubuntu Plucky, apparmor utils tools such as aa-notify, aa-logprof,
aa-cleanprof cannot parse fusermount3 profile.
$ aa-notify -p
skipping unparseable profile /etc/apparmor.d/fusermount3 (Can't parse
mount rule mount fstype=fuse options=(nosuid,nodev,rw) revokefs-fuse ->
/
dback.
```
#--
#Copyright (C) 2025 Canonical Ltd.
#
#Author: Maxime Bélair
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of version 2 of the GNU General Public
#License published by the Free Software Found
Indeed, a profile for linux-boot-prober is also needed. Find it below.
Again, if you face any issue with these two profiles don't hesitate to
give feedback.
```
#--
# Copyright (C) 2025 Canonical Ltd.
#
# Author: Maxime B
Verification completed on noble kernel 6.8.0-56.58:
$ lxc launch ubuntu:24.04 test -c security.nesting=true
Launching test
$ lxc exec test bash
root@test:~# uname -a
Linux test 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28
UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
root@
** Tags removed: verification-needed-noble-linux
** Tags added: verification-done-noble-linux
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor unconfined profile blocks pivot_ro
Verified that the patch was applied to branch linux-nvidia-
tegra/6.8.0-1004.4
** Tags removed: verification-needed-noble-linux-nvidia-tegra
** Tags added: verification-done-noble-linux-nvidia-tegra
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
This issue should be fixed upstream by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1606.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2092232
Title:
not able to deploy Plucky Puffin
To m
22 matches
Mail list logo
