Created a MR upstream with a tentative fix in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1716
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2111845
Title:
aut
Hi Sofie.
I'm sorry this has been happening. Could you check your system logs for any
apparmor DENIED messages?
You can run this command in your terminal:
journalctl -b | grep DENIED | grep fusermount
or
sudo dmesg | grep DENIED | grep fusermount
--
You received this bug notification because y
Hi Khairul,
Could you check your system logs for apparmor DENIED messages? The
relevant ones likely have profile=“fusermount3” in them.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpa
Since noble there are unconfined profiles which are part of the
unprivileged user namespace restriction. There is a CIS Level 2 rule
that requires all AppArmor profiles to be in enforce mode, which at the
moment includes the unconfined profiles. There is ongoing discussion
with the CIS community [1
ned) => Georgia Garcia (georgiag)
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Critical
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2105986
Title:
Apparm
I could reproduce this issue on linux 6.12 but plucky is soon moving to
6.14 in which this is no longer reproducible.
** Changed in: apparmor (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
Hi The Owl, my apologies. I updated the description containing the SRU
justification with the thorough testing steps.
Here's the correct verification:
root@sec-oracular-amd64:~# lxc launch ubuntu:24.10 test -c security.nesting=true
Launching test
root@sec-oracular-amd64:~# lxc exec test bash
root
Verification completed in oracular linux/6.11.0-21.21. Works as
expected.
georgia@sec-oracular-amd64:~$ uname -a
Linux sec-oracular-amd64 6.11.0-21-generic #21-Ubuntu SMP PREEMPT_DYNAMIC Wed
Feb 19 16:50:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-oracular-amd64:~$ sudo lxc launch ubu
Verification completed on oracular linux/6.11.0-21.21
georgia@sec-oracular-amd64:~$ uname -a
Linux sec-oracular-amd64 6.11.0-21-generic #21-Ubuntu SMP PREEMPT_DYNAMIC Wed
Feb 19 16:50:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-oracular-amd64:~$ journalctl -b | grep systemd | grep -i
Hi Heinrich. Did you try rebooting after upgrading to 4.1.0~beta5-0ubuntu5?
The profile could still be loaded in the kernel thus enforcing restrictions
unless rebooting or manually unloading the profile.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packag
Hi Dave
There's a new apparmor_4.1.0~beta5-0ubuntu5 available in plucky-proposed that
should remove the wpa_supplicant apparmor profile. We decided to disable it by
default for now in Ubuntu
I added a comment in the upstream MR for the profile fix, feel free to add more
details there if you wish
Hi Thomas, thanks for the report
AppArmor resolves the symbolic link on mediation, so to allow mbsync to
access those files, you can add the following permission to
/etc/apparmor.d/local/mbsync
@{HOME}/dotfiles/isync/.mbsyncrc r,
It can be done by the following command:
sudo bash -c "echo '@{HO
Hi Khairul.
Unfortunately the fix was not complete and there's a 4.1.0~beta5-0ubuntu5 on
the way. What you can do now is unload the profile and remove it.
# apparmor_parser --remove /etc/apparmor.d/wpa_supplicant
# rm /etc/apparmor.d/wpa_supplicant
--
You received this bug notification because
hi Thomas
To allow access to these files, you can add the following rule to
/etc/apparmor.d/local/openvpn:
@{HOME}/Documents/canonical/vpn/canonical_ta.key r,
It can be done by the following command:
sudo bash -c "echo '@{HOME}/Documents/canonical/vpn/canonical_ta.key r,'
>> /etc/apparmor.d/loc
Verification completed on noble kernel 6.8.0-56.58:
$ journalctl -b | grep systemd | grep -i apparmor
...
Feb 20 09:50:03 sec3-noble-amd64 kernel: audit: type=1400
audit(1740055803.156:9): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="busybox" pid=1 comm="systemd"
Feb 20
Hi Fred, I'm sorry to hear that things are not working as you expect. If
you can, could you open a new bug here on launchpad or in the upstream
apparmor repo https://gitlab.com/apparmor/apparmor/-/issues containing
the details of what's not working for you? It would be very helpful if
you could inc
Hi Fred,
What is the output of "realpath /usr/bin/google-chrome" in our machine?
Here I have
$ realpath /usr/bin/google-chrome
/opt/google/chrome/google-chrome
which is already covered by the rule
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx
-> sanitized_helper,
App
Since rsyslog ships its own apparmor profile, I'm adding rsyslog as the
affected package and marking apparmor as invalid.
** Also affects: rsyslog (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => Invalid
--
You received this bug notification bec
** Description changed:
+ SRU Justification:
+
+ [Impact]
+
+ The commit being reverted allows the use of runtime information on
+ AppArmor features, usually located under
+ /sys/kernel/security/apparmor/features/
+
+ The set of features is used to calculate the features' hash, used by
+ AppArm
The bug was caused by a commit [1] in the Ubuntu kernel that would
change the kernel features hash based on the status of the userns and
io_uring restriction. When the policy cache was generated, userns
restriction would be available and the hash under
/etc/apparmor/earlypolicy/ would match the set
This profile bypasses the restriction of unprivileged user namespaces,
therefore Ubuntu cannot ship it, and we recommend you don't use it as
well. If an application calls bwrap with a valid use of unpriv userns,
then a profile for that app should be created instead. Let me know if
you need any help
This is the fix upstream:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1237/diffs?commit_id=1f4bba0448563b7d1fe4d86c230556ebf8d3805b
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.la
You will need to create an AppArmor profile for the AppImage to work
using unprivileged user namespaces with privileged operations. Here's a
more detailed explanation in a different bug:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056627/comments/4
--
You received this bug notificati
Hi Ondra. Could you share what the apparmor profile looks like? Spaces
should work when surrounded by double quotes in the profile. In
4.0.1really4.0.1-0ubuntu0.24.04.3 there's an example of that in
/etc/apparmor.d/MongoDB_Compass.
profile "MongoDB Compass" "/usr/lib/mongodb-compass/MongoDB Compas
Hi Janne, thanks for reporting. Adding attach_disconnected to the profile flags
is the correct course of action at this point.
I submitted a MR upstream with the information you provided:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1395
--
You received this bug notification because y
Hi! Thank you for reporting this issue. It was already fixed by upstream
AppArmor but the fix still needs to be applied in the apparmor package:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1218
--
You received this bug notification because you are a member of Ubuntu
Touch seeded package
** Attachment added: "docker-default"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5824926/+files/docker-default
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bu
Hi, mihalicyn, sorry for the delay answering.
That's unfortunately right. Ubuntu 12.04 ships apparmor 2.7 which didn't
have support for ABIs yet, so dc757a645cfa82f6ac252365df20a36a9ff82760
causes a regression on those early versions. I talked to @jjohansen and
we have agreed that this patch needs
I agree that if /etc/ipa/ca.crt is a standard location for that package
(which appears to be
https://pagure.io/freeipa/blob/master/f/ipaplatform/base/paths.py#_69)
then we could add it to the ssl_certs abstraction
--
You received this bug notification because you are a member of Ubuntu
Touch seed
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** No longer affects: apparmor (Ubuntu)
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Oracular)
Importance: Undecided
Status: New
--
You r
It does seem to be an issue with their snap apparmor policy, which they
manage directly. Feel free to report the issue to them directly
https://github.com/NordSecurity/nordvpn-linux
** Changed in: apparmor (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you a
From the comments in the forum, it seems that the AppImage was
corrupted. Since it doesn't seem apparmor related, I'm setting this bug
as Invalid. Feel free to change back it if you don't agree.
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notific
Hi! Could you add some logs so we can determine if it's apparmor
related? You can run the following command to get them automatically.
apport-collect -p apparmor 2074277
** Changed in: apparmor (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a mem
Sorry for the delay. The fix had landed but it was reverted due to a
regression. We have a 4.0.1really4.0.1-0ubuntu0.24.04.3 update but
it is still sitting in noble-proposed
https://people.canonical.com/~ubuntu-archive/pending-sru.html
--
You received this bug notification because you are a
Hi appe!
There's a new version of apparmor in the noble-proposed pocket that should fix
this issue:
https://launchpad.net/ubuntu/+source/apparmor/4.0.1really4.0.1-0ubuntu0.24.04.3
https://wiki.ubuntu.com/Testing/EnableProposed
--
You received this bug notification because you are a member of U
@lazka: you can use this profile:
https://pastebin.canonical.com/p/VbmH97Rhqp/
I grabbed it from upstream:
https://github.com/moby/moby/blob/master/profiles/apparmor/template.go
Note that for the rule "signal (receive) peer={{.DaemonProfile}}," in the
template I assumed the DaemonProfile is unco
Verification completed in bug 2064672
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Verification completed in bug 2064672
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Verification completed in bug 2064672
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Verification completed on apparmor noble-proposed
$ apt policy apparmor
apparmor:
Installed: 4.0.1really4.0.1-0ubuntu0.24.04.3
Candidate: 4.0.1really4.0.1-0ubuntu0.24.04.3
Version table:
*** 4.0.1really4.0.1-0ubuntu0.24.04.3 100
100 http://archive.ubuntu.com/ubuntu noble-proposed/ma
I have noticed that a lot of AppArmor policies use peer=unconfined when
they meant *any* peer. I believe this is also the case for bug 2040483.
I see little difference in allowing "signal (receive) peer=unconfined,"
vs "signal (receive)," in abstractions/base, so I proposed
https://gitlab.com/appa
Since the profile is not shipped by the apparmor package, I'm marking it
as invalid and adding the correct package passt
** Also affects: passt (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Status: New => Invalid
--
You received this bug notificati
The fix is similar for privoxy. I attached the debdiff that fixes it.
** Patch added: "privoxy_3.0.34-3ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5759689/+files/privoxy_3.0.34-3ubuntu2.debdiff
--
You received this bug notification because
Ah, sorry, Łukasz. I didn't see you were working on it.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2058866
Title:
proposed-migration for cups-browsed 2.0.0-0ubuntu8
Erich Eickmeyer, I don't have a Tuxedo Computer to test, so could you
please check if the following profile works for you?
$ echo "# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile tuxedo-control-cent
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
** This bug has been marked a duplicate of bug 2032851
package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor
package pre-installation script subprocess returned error exit status 1
--
*** This bug is a duplicate of bug 2051932 ***
https://bugs.launchpad.net/bugs/2051932
** This bug has been marked a duplicate of bug 2051932
attach_disconnected test from test_regression_testsuite of
ubuntu_qrt_apparmor failed with "Unable to run test sub-executable" on Mantic
--
You re
** Changed in: devhelp (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: devhelp (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: epiphany-browser (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: epiphany-browse
** Also affects: apparmor
Importance: Undecided
Status: New
** No longer affects: apparmor
** Also affects: lightdm (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed
Hi Gunnar,
could you share which AppArmor version you are running? and which kernel
version?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2051506
Title:
apparm
** Changed in: apparmor (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2052297
Title:
Please add opt.keybase.keybase profile
Hi Daniel!
Thanks for testing and making sure. As you were able to figure out, the
AppArmor parser accepts both include and #includes, although we are deprecating
the latter.
Since the AppArmor policy is distributed by the Mozilla Team's firefox,
they need to add this permission to their AppArm
Hi Gerard
Brave does not work currently because we only added support to Chromium,
Firefox and Opera as you can see in the current snap_browsers abstraction [1].
I'm adding Brave support as well [2].
While that change is not applied to the apparmor package, as a workaround, you
could apply the
Public bug reported:
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-
restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user
namespace restrictions for Ubuntu 23.10 are to be enabled by default via
a sysctl.d conf file in apparmor, and for that to happen, the
res
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
Hi Herb!
The fix is already on the way and should be available to you soon. Meanwhile,
as a workaround, you can remove the /etc/apparmor.d/cache/e10c1cf9.0 directory
with
rm -r /etc/apparmor.d/cache/e10c1
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
** This bug has been marked a duplicate of bug 2032851
package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor
package pre-installation script subprocess returned error exit status 1
--
The autopkgtests for apparmor failed for the evince update because the
test requires the apparmor update which is also in proposed
https://launchpad.net/ubuntu/+source/apparmor/3.0.4-2ubuntu2.3 but it is
not a regression.
--
You received this bug notification because you are a member of Ubuntu
To
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
** This bug has been marked a duplicate of bug 2032851
package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor
package pre-installation script subprocess returned error exit status 1
--
Verification from proposed was successful:
georgia@sec-bionic-amd64:~$ sudo bash -c "cat deb http://archive.ubuntu.com/ubuntu/ focal-proposed restricted main
> multiverse universe
> EOF"
georgia@sec-bionic-amd64:~$ sudo bash -c "cat
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
Hello! Thanks for the report. I noticed that it is a duplicate of Bug 2032851
which already has a fix on its way.
Meanwhile, as a workaround, you could fix the upgrade issue by running
rm -r /etc/apparmor.d
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
** This bug has been marked a duplicate of bug 2032851
package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor
package pre-installation script subprocess returned error exit status 1
--
Reuploading because I had a conflicting version with what was rejected
in -proposed
** Patch added: "evince_42.3-0ubuntu3.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5711859/+files/evince_42.3-0ubuntu3.2.debdiff
--
You received this bug notification b
** Patch removed: "evince_42.3-0ubuntu3.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5711419/+files/evince_42.3-0ubuntu3.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to app
Hi! You're right, I forgot to request a sponsorship.
I uploaded the patch for evince/jammy, could you take a look and sponsor
if possible? Thanks
** Patch added: "evince_42.3-0ubuntu3.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5711419/+files/evince_42
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
** This bug has been marked a duplicate of bug 2032851
package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor
package pre-installation script subprocess returned error exit status 1
--
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Critical
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2032851
Title:
package apparmor 2.12-4ubuntu5.3 faile
ss returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install)
** Patch added: "apparmor_2.13.3-7ubuntu5.3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032851/+attachment/5708296/+files/apparmor_2.13.3-7ubuntu5.3.debdif
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
** This bug has been marked a duplicate of bug 2032851
package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor
package pre-installation script subprocess returned error exit status 1
--
Hi!
Could you share the kernel and apparmor version?
I tested on mantic with the configuration below and I wasn't able to reproduce
the failure for this specific test.
I did see an unrelated dbus issue with the test suite and proposed a fixed on
https://code.launchpad.net/~georgiag/qa-regression
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
** Information type changed from Private Security to Public
** This bug has been marked a duplicate of bug 2032851
package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor
package pre-in
Andreas, Jeremy, you are correct. The worst that could happen is the
same behavior we have currently: when we click a URL the browser does
not open, we get a denied log and evince prints "Permission denied".
My previous statement that profile loading could fail if apparmor did
not find "snap_brows
I have verified on lunar with both apparmor and evince packages updated
from the proposed pocket, it works as expected.
** Tags removed: verification-needed-lunar
** Tags added: verification-done-lunar
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages
Steve, the snap_browsers abstractions needed an update because the
abstraction had not been updated in an year and the snap browsers now
required read and lock permissions to the file
/var/lib/snapd/inhibit/{browser-name}.lock, but this was also submitted,
approved and merged upstream:
https://gitl
Hi Steve.
I updated the patches containing the requested changes and uploaded them to
https://launchpad.net/~georgiag/+archive/ubuntu/lp1794064/+packages
Please let me know if you prefer I attached the debdiffs here.
I'm resubscribing ~ubuntu-sponsors. Thanks
** Patch removed: "evince_42.1-3ubun
Hi Daniel. Thanks for the report!
Could you try the following commands and let me know if they fix the
issue?
sudo sh -c "echo 'include ' >>
/etc/apparmor.d/local/usr.bin.firefox"
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
--
You received this bug notification because you are a me
I added the consoles abstraction to the rsyslog AppArmor profile and I
also had to add syslog to the tty group, otherwise rsyslog would not
have been able to write to /dev/console due to file permissions (bug
1890177).
I added the proposed changes to this PPA
https://launchpad.net/~georgiag/+archi
I think /var/log/syslog and /var/log/kern.log will be sufficient.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2009317
Title:
All Snaps Broken After Release Upgrade
St
Hi! Could you upload some system logs of when this happens?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2009317
Title:
All Snaps Broken After Release Upgrade
Status i
Hi Chlo!
I was just testing a fix that I did myself:
https://launchpad.net/~georgiag/+archive/ubuntu/lp2009230/+packages
and it seemed to work as expected.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
h
** Also affects: gce-compute-image-packages (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
The AppArmor profile for rsyslog, which had been disabled on previous
Ubuntu versions, was enabled in lunar.
The package google-compute-engine added a config file to r
Public bug reported:
The AppArmor profile for rsyslog, which had been disabled on previous
Ubuntu versions, was enabled in lunar.
The package google-compute-engine added a config file to rsyslog which
requires rw access to /dev/console
google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.c
** Also affects: lxc
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2003383
Title:
LXC ignores lxc.rootfs.options on container
/proc is not usually shared between the host and the container, but I
can see how that can happen if you run the mount with hidepid=2 on the
host.
When it comes to processes, aa-status works by going through /proc and reading
attr/apparmor/current. So if you remount /proc with hidepid=2, then the
Could you also provide some kernel logs?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2006528
Title:
LXD processes are not enforced in Ubuntu 20.04 HWE kernel
Status i
Thanks, Simon, I must have missed it.
When I use --mode=non-interactive on lxc and -l on tcpdump, I don't see the
issue at all.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/b
** Description changed:
+ [ Impact ]
+
+ Users that run tcpdump from an SSH session inside a container cannot
+ see the output because tcpdump tries to write to /dev/pts/, which is
+ not allowed by the AppArmor policy.
+
+ This upload fixes the bug by allowing read/write access to the devices
+
I tried reproducing the issue on a 22.04 VM with a 22.04 container and I
got some weird behavior, not consistent to what was reported in the
comments, so I appreciate if anyone can also take a look.
What I found is that I can only reproduce the issue when running tcpdump
in --mode=non-interactive,
I agree that this issue is not a duplicate of Bug 1641236 and it can be
fixed by adding rw access to /dev/pts/*, which is not the case for the
other bug.
** This bug is no longer a duplicate of bug 1641236
Confined processes inside container cannot fully access host pty device
passed in by lxc
Hello,
Looking at the lxc logs exclusively I couldn't figure out what's going on, or
if it's related to AppArmor.
Could you also provide the kernel logs from the host and from the container?
Thank you
--
You received this bug notification because you are a member of Ubuntu
Touch seeded package
Hello,
I wasn't able to reproduce the error
https://pastebin.canonical.com/p/VDkkkCx2HF/
Does the issue persist if you restart the container? Also, can you
please check if restarting the apparmor service fixes it?
--
You received this bug notification because you are a member of Ubuntu
Touch se
Tests for jammy worked as expected. The systemd autopkgtest on s390x
passed after the test was retriggered.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146
Title:
Tests for jammy worked as expected. The systemd autopkgtest on s390x
passed after the test was retriggered.
** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy
--
You received this bug notification because you are a member of Ub
** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/199414
Thank you for validating the test, Heather.
In addition to the ABI validation, I also ran the AppArmor tests using
the QA Regression Test suite (https://git.launchpad.net/qa-regression-
testing/tree/scripts/test-apparmor.py). It includes tests for
LibAppArmor, the parser, and all regression tests.
Thanks for reporting this issue. I created a MR upstream to fix it
https://gitlab.com/apparmor/apparmor/-/merge_requests/962
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2
Verification done. The autopkgtest failure for libreoffice was a
temporary issue with the test infrastructure that passed when it was
retriggered.
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal
--
You received this bug noti
** Tags removed: verification-needed-focal
** Tags added: verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993353
Title:
Add posix message queue IP
Verification done. The autopkgtest failure for libreoffice was a
temporary issue with the test infrastructure that passed when it was
retriggered.
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal
--
You received this bug noti
** Tags removed: verification-needed-focal
** Tags added: verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146
Title:
[SRU] apparmor - Focal, Ja
1 - 100 of 137 matches
Mail list logo
