This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6
---------------
apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium
* Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not
3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the
wrong directory in is_container_with_internal_policy(), which causes
policy to always fail to load in containers. Thanks to Christian Ehrhardt
for the analysis. (LP: #1895967)
apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium
[ John Johansen ]
* d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch:
fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the
parser to emit rules needed for change_hat in the hat profiles but
broke the rule being emitted for the parent profile, this fixes it for
both so that it is emitted for any profile that is a hat or that
contains a hat.
* d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile
abstraction so that it allows access to the apparmor attribute paths
under LSM stacking.
apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium
[ John Johansen ]
* d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix
parser not adding a rule to profiles if they are a hat or contain hats
granting write access to the kernel interfaces.
apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium
[ John Johansen ]
* New upstream release (LP: #1895060, LP: #1887577, LP: #1880841)
* Drop all patches backported from upstream: applied in 3.0
* d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide
example and base abi to pin pre 3.0 policy
* d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning
of pre AppArmor 3.x policy
* drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer
needed with upstream 'include if exists'
[ Steve Beattie ]
* d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important
now that groovy has a 5.8 kernel.
* d/apparmor-profiles.install:
+ adjust for renamed postfix profiles
+ add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles
+ remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in
apparmor-profiles)
* d/apparmor.install: include abi/ directory and tunables/etc.
* d/apparmor.manpages: add apparmor_xattrs.7 manpage
* d/control:
+ apparmor-utils: no more shipped perl tools, drop perl dependency
+ apparmor-notify: aa-notify was converted to python3 from perl; adjust
-notify dependencies to compensate
* d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch:
fix sed expression in settest()
[ Emilia Torino ]
* Removing Ubuntu specific chromium-browser profile. This is safe to do
since groovy's chromium-browser deb installs the snap. If apparmor3
is backported to 18.04 or earlier, the profile will need to be taken
into consideration
- d/profiles/chromium-browser: remove chromium-browser profile
- d/apparmor-profiles.postinst: remove postinst script as it only
contains chromium-browser related functionallity.
- d/apparmor-profiles.postrm: remove postrm script as it only
contains chromium-browser related functionallity.
- d/apparmor-profiles.install: remove ubuntu-specific
chromium-browser abstraction and profile
- d/apparmor-profiles.lintian-overrides: remove chromium-browser
profile lintian overrides
- d/p/ubuntu/add-chromium-browser.patch: remove patch which added
chrome-browser
[ Alex Murray ]
* d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: refresh
this patch with the official upstream version
* d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: refresh this
patch to match the above
* d/p/parser-add-abi-warning-flags.patch: enable parser warnings
to be silenced or to be treated as errors
[ Jamie Strandboge ]
* d/p/adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus
1.5.22. This can be dropped with AppArmor 3.0 final.
* d/p/parser-add-abi-warning-flags.patch: refresh to avoid lintian warnings
* d/p/ubuntu/lp1891338.patch: adjust ubuntu-integration to use
abstractions/exo-open (LP: #1891338)
* d/p/ubuntu/lp1889699.patch: adjust to support brave in ubuntu
abstractions. Patch thanks to François Marier (LP: #1889699)
* d/p/ubuntu/lp1881357.patch: adjust for new ICEauthority path in /run
(LP: #1881357)
-- Jamie Strandboge <ja...@ubuntu.com> Tue, 22 Sep 2020 15:10:33 +0000
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1895967
Title:
Apparmor 3.0.0 does not load profiles in containers anymore
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
Hi,
I stumbled over this due to automatic tests checking proposed.
I found that Focal no more could migrate to Groovy with:
$ virsh migrate --unsafe --live fguest qemu+ssh://10.162.30.163/system
error: unsupported configuration: Security driver model 'apparmor' is not
available
I looked after it and found that while all former releases detected
apparmor correctly:
$ virsh capabilities | grep -C 3 secmodel
<cache>
<bank id='0' level='3' type='both' size='15' unit='MiB' cpus='0-11'/>
</cache>
<secmodel>
<model>apparmor</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+64055:+108</baselabel>
<baselabel type='qemu'>+64055:+108</baselabel>
</secmodel>
Now on groovy that didn't work anymore:
<secmodel>
<model>none</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+64055:+108</baselabel>
<baselabel type='qemu'>+64055:+108</baselabel>
</secmodel>
Since 3.0 is only in proposed:
# apt-cache policy apparmor
apparmor:
Installed: 2.13.3-7ubuntu6
Candidate: 3.0.0~beta1-0ubuntu1
Version table:
3.0.0~beta1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64
Packages
*** 2.13.3-7ubuntu6 500
500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
100 /var/lib/dpkg/status
I installed the former version.
$ apt install apparmor=2.13.3-7ubuntu6
$ rm /var/cache/libvirt/qemu/capabilities/*
$ systemctl restart libvirtd
And it works again.
Interestingly going back to 3.0 then works and keeps working.
Therefore maybe it is a red-herring and I'll consider it incomplete & low
prio for now until I know more (allowing others that might see the same to find
this bug and chime in).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
