Yes please report profiles that are doing this, so that they can be
fixed. Generally it is probably best to have a separate bug per
profile/application but it is acceptable to do a dump of log messages,
and say I am getting these denials/complain messages on xubuntu 25.04.
You could for example con
I should add that the profiles that are filling your logs, should also
be updated so that they are not causing these messages.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2117338
Title:
Tremendous
Sorry AppArmor auditing will not be disabled by default. Generally it
indicates a violation of security policy. Which really does need to be
audited. However we can split policy into two broad classes, policy that
is being enforced, and policy that is in complain/allow/learning mode.
Unfortunately
As noted in Bug #2116834 there is an apparmor profile issue that needs
to be resolved, however the fusermount3 running the cpus occurs even
with the profile disabled.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchp
changed to triaged for apparmor as the denies do need to be fixed
** Changed in: apparmor (Ubuntu)
Status: Invalid => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2116834
Title:
fu
I can replicate with a clean install of the daily. However I am seeing
this behavior even when I disable the apparmor profile, and reboot, and
can verify fusermount3 is unconfined.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https:
I don't see a denial that would require
capability net_admin,
are there some denials missing? Why is this being added. Capabilities,
especially sys_admin, and net_admin allow doing all kinds of ugly
things.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
This is a mix of issues
1. disconnected path
The failures with info="Failed name lookup - disconnected path" are due to
fusermount3 being run in a mount namespace, and trying to access fds that it
does not have access to. This is likely due to flatpak's sandbox design, and
its broken assumption
It not so much that apparmor doesn't like spaces as the audit subsystem
doesn't, and since apparmor uses that to do its auditing ...
But you are correct that profiles names shouldn't contain spaces because
of this. The profile name will get updated to probably MongoDB_Compass
--
You received thi
@johnwaynee: we plan to address every issue that is technically possible
to address. Hopefully the more detailed breakdown of issues around
memory use, both leak, and could be perceived as a leak helps address
your concern.
So what I have managed to trace down so far. This isn't a single bug, but
Thanks. That confirms it is not the complain leak.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098730
Title:
Kernel 6.8.0 memory leak
To manage notifications about this bug go to:
https://bugs.l
*** This bug is a duplicate of bug 2102680 ***
https://bugs.launchpad.net/bugs/2102680
** This bug has been marked a duplicate of bug 2102680
Installation of AppArmor on a 6.14 kernel produces error message "Illegal
number: yes"
--
You received this bug notification because you are a mem
** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1508737
Title:
unix domain socket bind causes kernel audit NULL pointer deference
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Xenial)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Yakkety)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Zesty)
Status: Confirmed => Invalid
I have found and fixed a leak in the prompt notification interface. It however
does not account for this.
There is also a circular reference count with complain mode profiles, but it is
not clear if that is the situation encountered here.
The messages in syslog could indicate that there are some
** Changed in: linux (Ubuntu)
Assignee: Roger Knecht (rogerknecht) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Noble)
Assignee: Roger Knecht (rogerknecht) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Oracular)
Assignee: Roger Knecht (rogerknecht) =
This looks to be caused by incus using change_profile to change
confinement. AppArmor is allowing this but only to a point creating a
stack of the incus policy and unconfined. We will need to investigate
the specifics of exactly what is going on here. But in the mean time you
should be able to work
@mfuk: the generic 6.8.12 kernel doesn't have the ubuntu patch diff, and
that is likely why you are not seeing this issue with that kernel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098730
Title:
** Also affects: apparmor/3.1
Importance: Undecided
Status: New
** Also affects: apparmor/master
Importance: Undecided
Status: New
** Also affects: apparmor/2.12
Importance: Undecided
Status: New
** Also affects: apparmor/4.0.3
Importance: Undecided
Status
this looks like at a minimum the apparmor profile needs to be updated.
This needs to be done before any other kernel work. Adding an apparmor
task
lsblk trace shows
openat(AT_FDCWD, "/sys/block/sr0/hidden", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission denied)
openat(AT_FDCWD, "/sys/block/sr0/dev
@r-fabbeni
if you have done local edits on the profile file dpkg/apt when they
install a new version will move your locally edited version to .save
when it installs the new version. I would assume the addition of
flags=(complain) was a local addition, possibly done with aa-complain.
as for the aa
Is gnome papers looking for a smart key or similar device, the tpm?
Giving it full access to the /sys/devices/ tree is certainly more than
it needs.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/21061
On 4/3/25 06:52, r.fabb...@gmail.com wrote:
> Installed apparmor-utils package and aa-complain is ok now.
> But i never did editing in apparmor.d files before yesterday, and on 24.04
> lsusb was not complaining.
> After upgrading to 25.04 it started the problem.
> So really strange to have a .save
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => In Progress
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (
Public bug reported:
When snapd crashes or restarts it closes its connection to the kernel
and the listener state, and all existing notifications are lost.
This is a problem for snapd as it means prompt information is lost,
causing failures for the user, and a need to re-prompt the user. The
user
focal apparmor userspace.
The partial mqueue mediation in Focal's kernel has caused some issues,
and the full patchset including the fix for this may need to be SRUed
kernel side.
** Changed in: apparmor
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: apparmor
^^^
AssertionError: 1 != 0 : Got exit code 0, expected 1
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: apparmor (Ubuntu Plucky)
Imp
This has been traced to the compatibility patches in the kernel, and
will need a kernel fix.
** Changed in: linux (Ubuntu Plucky)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
The plan is to attempt another SRU bwrap-userns-restrict along with a
few other profiles that are needed. The previous attempt was reverted,
there ave been several revisions, and we are getting ready to try it
again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
The sanitized_helper is an escape hatch, and is only slightly better
than using ux directly within the profile. It exists because Ubuntu
doesn't carry a complete policy yet (a lot of the system is unconfined),
and because environment variable sanitization either breaks the child
application being p
So I think its not unreasonable to add
/var/ r,
/var/log/ r,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101180
Title:
Multiple DENIED apparmor messages when using rsyslog with the imfile
modu
@paride: RE: aa-notify
aa-notify does not require the desktop-security-center snap. The
desktop-security-center snap is required for permissions prompting which
is a different feature, that is only available to snaps atm*.
aa-notify is after the fact updating of the profile similar to using aa-
l
also
deny / r,
to silence the denial there seems appropriate
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101180
Title:
Multiple DENIED apparmor messages when using rsyslog with the imfile
mo
** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100745
Title:
Fix apparmor tools parsing failure caused by lp2100
** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100744
Title:
Fix parse failure that breaks aa-tools
To
atm It looks that way, there certainly should be some though
comment #4's
@{HOME}/.cert/nm-openvpn/* r,
seems reasonable. We will have to look into others
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
@aleasto, no they aren't desktop applications. That doesn't mean access
to keys in a users directory can't be routed to the affected user as a
permission request (at least in a desktop environment).
Nor does it mean that the gui interface for network manager, can't act
as at a privilege layer for
the denials I am seeing in the grub.cfg show linux-boot-probe is now the
failing command. Like os-prober, linux-boot-prober is using unshare to
create a user namespace and getting transitioned into the
unprivileged_unshare profile stack.
--
You received this bug notification because you are a mem
Right, once the reason for the use of the mount namespace was understood
it was clear that it is needed. The current proposed fix is to not
disable mount namespaces but create a more limited proper profile. This
is now being worked on and will hopefully be ready soon.
--
You received this bug not
So the problem with Alex's fix is that it makes a default allow profile
available on the default install. Which is a security hole unless the
apparmor_restrict_unprivileged_unconfined restriction is enabled, by
default.
We tolerate the sbuild profile because it is not installed by default,
and it
The fix for the parse bug, triggered by the fix for the lp2100295 is tracked by
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2100745
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100744
Ti
Public bug reported:
The fix for lp2100295 caused the python based aa-* tools to crash on any
and all policy due to a parsing error.
This bug tracks the fix for the parsing bug in the aa-* tools that
caused the aa-tools to crash. Which is tracked in upstream MR
https://gitlab.com/apparmor/apparmo
Public bug reported:
The fix for https://bugs.launchpad.net/bugs/2100295 resulted in mount
rules in fusermount3 that caused all python aa-* tools to crash because
parsing of the new fusermount3 profile rules failed.
The this blocked merge of the fix for the fusermount3 profile in upstream
https:/
Currently there isn't a good way to set the flags on a profile without
editing the local copy. There is an overlay mechanism coming, but it has
not landed yet. There is also another mechanism for dealing with
disconnected object coming. But until these extensions land there is a
way to do local pro
@xypron:
policy can be shipped as part of the package, or part of the system
policy. Atm unless there is a good reason, or an active package
maintainer who wants to maintain the policy, profiles are being shipped
as part of system policy, in the apparmor package.
--
You received this bug notific
So there is a tension here between users and security. There is no
perfect solution. Allowing openvpn full access to all the users files
has security implications, denying access has usability implications.
As unsatisfying as it is we are working towards a long term solution,
but are not there yet
temporary fix
sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns
or to make it persist after reboot
sudo aa-disable /etc/apparmor.d/unprivileged_userns
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.n
The first denial I am seeing is for netlink. So
network (create) netlink raw,
I am assuming once it is allowed creation of the netlink socket their
will be addition permissions needed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu
In my testing this does work with the bwrap profile that is in the beta
and will land soon.
You can try it yourself by downloading
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/bwrap-
userns-restrict?ref_type=heads
and then running the command
$ apparmor_pa
There will be a new bwrap profile landing in plucky soon that should
hopefully fix most cases. The use case it doesn't fix is the exe being
launched by bwrap requiring capabilities in the unprivileged user
namespace.
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
Public bug reported:
Profile cache files in /etc/apparmor/earlypolicy/ should be loaded by
systemd during early boot to enable full system confinement. Systemd
should load the cache and try to enter confinement as documented in
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd
Howe
There are three approaches:
1. Users will be able to use a GUI notification/pop-up to do this. A
version of this is currently available in 24.10, it has been revised and
a new iteration will soon land in 25.04, the plan is to SRU this back to
24.04 (23.10 is already out of support).
A demo vide
On 11/16/24 06:42, Sam wrote:
> I was wondering about the threats being mitigated by disabling
> unprivileged userns like this. After some searching, I was able to find
> this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user-
> namespace-restrictions-via-apparmor-in-ubuntu-23-10/376
On 12/14/24 01:29, hifron wrote:
> Electron apps could be made without sandbox usage - this could be setup
> as compile options or electron settings, but it is not so good idea...
> maybe temporarily as in between maybe, maybe not...
>
> but todays there is reality that prompting-client could be i
conditionally dependent rule, such
that when a specific file is allowed the matching pattern is
automatically allowed.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee
)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Noble)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Also affects: linux (Ubuntu)
Importance
If you want you can test the attached profile. It will allow bwrap to work in
most situations. There are a few places Where it will still cause failures
1. if the child that bwrao launches requires privilege in the unprivileged user
namespace.
2. if the child profile has issues due to no-new-priv
The ability to remove the snap without any dependency check/warning is
indeed worrying. The apparmor STATUS message likely not. The
apparmor=STATUS messages are most likely about profile loads and
replacements. In this case the profile="unconfined" means the task doing
the profile load is unconfine
From the kernlog.txt
I see
1497 lines
1280 lines with AppArmor denials
1278 lines with denials to snap profiles
939 lines with denials to /dev/char
937 lines with denials to /dev/char/195
I don't have enough info to positively say this is the nvidia graphics
card, but from other bits of info th
@xmedeko The handling of spaces has nothing to do with the user
namespace restriction that this bug, and the upstream git hub issue are
tracking.
can you attach any additional information. kernel logs etc.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is su
The bwrap profile was reverted on Oracular as well (because it breaks
flatpak), and I did a quick test to verify the thumbnailer does not work
on Oracular budgie. Please let me know if there is a case where this is
working on Oracular.
There is a revised version of the bwrap and flatpak profiles i
@Andrew: Simon is correct. This update deliberately had an unusual roll-
out where it went to updates first so that it could be phased, and we
could roll back if the phasing showed a problem.
The security pocket was not updated specifically to provide a users a
way to easily revert the update.
As
This SRU should land soon. It is up to the release team to decide when
it will be released. There are a couple reason this is baking longer (28
days) than the minimum 7 days. In -proposed is a previous iteration
caused a regression and had to be reverted. The 24.04.1 release happened
recently and t
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
package in /usr/share/apparmor/extra-profiles/bwrap-userns-restrict
it is not enabled by defaul
*** This bug is a duplicate of bug 2064849 ***
https://bugs.launchpad.net/bugs/2064849
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
pack
@Mingun: in
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1969896 you
reported this is still affecting Ubuntu 24.04.1
Can you provide log entries with the denials you are encountering?
sudo dmesg | grep DENIED
Also you reported
$ LANG=C sudo apparmor_parser -R /etc/apparmor.d/usr.b
*** This bug is a duplicate of bug 1795649 ***
https://bugs.launchpad.net/bugs/1795649
@Mingun: I have replied in
https://bugs.launchpad.net/evince/+bug/1795649
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
This is fixed in 4.0.2 and should be part of the next SRU
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2079019
Title:
Unable to en
Disabling the user namespace restriction is certainly one possible
direction, and would be the easiest for Noble.
The other possible route is using aa-notify, which now has the ability
to produce a prompt for the user. An example gif can be seen at
https://gitlab.com/-/project/4484878/uploads/ea5f
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
Looking into it. This appears to be an issue with the parent missing
when trying to create the child in aafs.
** Changed in: linux (Ubuntu Noble)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: ubuntu-realtime
Status: New => Con
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
peer=unconfined in most cases is not meant to be any. It is just that
the policy could not distinguish between the different unconfined
processes.
Confined processes were still being blocked by the peer=unconfined rule.
--
You received this bug notification because you are a member of Ubuntu
Bug
So I have some questions about the snap run under the wpa_client case.
Is this trace repeatable? This one is odd to me in a couple of ways like
we are getting a timeout without every doing a select/poll/... so either
it is somehow missing from the trace or its being done by interrupt.
The trace s
@richard-purdie-1:
I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.
Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the use
@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.
Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The
@jamesh:
for the profile please give it a short non-path based name, and option
for local additions
abi ,
include
profile gnome-shell-portal-helper /usr/libexec/gnome-shell-portal-helper
flags=(default_allow) {
userns,
# Site-specific additions and overrides. See local
@Robie: define final. Right now this is for testing. Once testing is
done and if everything looks good then we will revise the version. The
plan was to go with an epoc version similar to
4.0.1really4.0.0-beta3-0ubuntu0.1 (suggestions welcome), and didn't want
to use/burn those until we are sure thi
steam (non-snap) works, interface is brought up and can launch a game
known to trigger pressure vessel and bwrap.
steam snap is broken. The interface is brought up, but the games I have
tried can not launch. The failure however does not appear to be related
to the revert.It is not bwrap related bu
I have run through QRT tests as well, same results as @georgia in #28
In addition I have tested a couple flatpaks, steam (snap, and non-snap)
has NOT been tested yet, but I will have that one soon.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
The regression is caused by
d/p/u/enable-bwrap-profile.patch
the bwrap profile is interacting with flatpak, and snapd. The
d/p/u/enable-bwrap-profile.patch will need to be dropped, when the 4.0.1
SRU is redone.
The bwrap, flatpak and snapd will need updates to enable bwrap to be
used by regular
@ross:
atm, correct unshare does Not work as it does not have a profile enabled
by default. However this will be partially fixed via SRU. The SRU for
apparmor 4.0.1 includes an example profile for unshare*, that will allow
unshare to create user namespaces and even have capabilities within the
use
There 3 profiles involved here (probably should be 4), with a call
dependency chain of
flatpak -> bwrap -> bwrap_unpriv
the flatpak profile does not show up in the logs but does end up
launching bwrap. The comm is being set by flatpak, and can not be
considered reliable for which executable is
@kanavin:
Bitbake could indeed do that, it will depend on if it is considered
worthwhile to carry said exception code. As I mentioned above both
capabilities and SELinux are working towards limiting of unprivileged
user namespaces, and the solutions needed to handle there restrictions
will be diff
@kanavin:
Thanks, we don't have an issue with bitbake, the issue comes down to
running code out of a user writable location.
1. The location of bitbake will vary by user. Making any profile we
could ship only functional for a subset of bitbak users. For the others
it would require a privileged ac
@milev-philip:
containers are a difficult case. Unfortunately containers share the same
kernel as the host. An application running in the container (docker
image) can use unprivileged user namespaces to compromise not just the
container but the host as well.
There is the ability to turn the restr
It does seem that way. The problem is the design of unprivileged user
namespaces, it gives unprivileged applications access to a lot of kernel
surface that they usually don't have access to. This has been used to
elevate kernel bugs from root exploitable to being exploitable by
unprivileged users.
*** This bug is a duplicate of bug 2056555 ***
https://bugs.launchpad.net/bugs/2056555
Yes, its best to mark this as a duplicate.
** This bug has been marked a duplicate of bug 2056555
Allow bitbake to create user namespace
--
You received this bug notification because you are a member o
Test Environment 1: kvm virtual machine, clean 24.04 install, updated,
then proposed enabled.
Test Environment 2: x86 laptop with nvidia graphics, upgraded to 24.04,
updated, then proposed enabled.
Test plan fully executed on both environments.
Notes:
kde, budgie, and kapps: only tested in envi
List of Applications tested for regression
Tellico
Supercollider
steam
rssguard
qutebrowser
qmapshack
plasma-welcome
plasma-desktop
pageedit
opam
notepadqq
marble
loupe
kontact
konqueror
kmail
kgeotag
kdeplasma-addons
kchmviewer
kalgebra
goldendict-webengine
ghostwriter
foliate
geary
firefox snap
A profile for bwrap is in the 4.0.1 SRU
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
A profile for bwrap is in the 4.0.1 SRU
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
A profile for bwrap is in the 4.0.1 SRU
** Changed in: bubblewrap (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespa
On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of
June 27, 24.04.
0. Enabled proposed, updated, upgrade and installed apparmor packages
via
$ sudo apt install apparmor apparmor-profiles apparmor-utils
libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor
python3-libap
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
I will add that while you can manually add the profile as a work around,
the full update that is being SRUed is available in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru
any testing that
Can you please try with the apparmor in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru
Basically from a terminal you need to do
sudo add-apt-repository ppa:apparmor-dev/apparmor-sru
sudo apt update
and then retry Web Apps
4.0.1 is in the SRU process, currently waiting to
> Am I correct in understanding, the Thunderbird snap does not allow
profiles to set paths to locations outside the snap confinement? And if
so, is that something specific to running a live system or is it
something any Lubuntu 24.04 installation is now stymied by?
it is a property of the snap, re
1 - 100 of 8139 matches
Mail list logo
