Since the profile is not shipped by the apparmor package, I'm marking it
as invalid and adding the correct package passt
** Also affects: passt (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2077158
Title:
/etc/apparmor.d/usr.bin.pasta is missing in Ubuntu's apparmor package
Status in apparmor package in Ubuntu:
Invalid
Status in passt package in Ubuntu:
New
Bug description:
Ubuntu's apparmor package contains `/etc/apparmor.d/usr.bin.passt`,
but accidentally lacks `/etc/apparmor.d/usr.bin.pasta` which is needed
for `/usr/bin/pasta` (included in `passt` package).
Ubuntu has to cherry-pick
<https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b>.
ref: Comment from Stefano Brivio (sbrivio-rh)
<https://github.com/moby/moby/issues/48257#issuecomment-2293176303>
> ### About the AppArmor issue
>
> I finally had the chance to check this on Ubuntu 23.10, 24.04, a current
snapshot of the upcoming 24.10, a current openSUSE Tumbleweed version, and a
current Debian unstable (sid) installation.
>
> The issue occurs on Ubuntu 23.10 (`passt-0.0~git20230627.289301b-1`) and
24.04 (`passt-0.0~git20240220.1e6f92b-1`) only (not on 24.10, not on openSUSE,
not on Debian) because, together with the change outlined in [Ubuntu's SE045
specification](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626)
and AppArmor's
[wiki](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction),
a Debian package
[commit](https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b)
is also missing from those versions.
>
> That commit actually includes the AppArmor profile for `pasta(1)` in the
package. The AppArmor ABI of the profile is `3.0`, so it doesn't contain an
explicit `allow userns create`, but the mere fact that there's a profile with
ABI 3.0 allows pasta to create its sandboxing user namespace.
>
> Quoting from Ubuntu's SE045 specification, one step for that change should
have been:
>
> > identify all packages within the Ubuntu archive that make use of
unprivileged user namespaces
>
> but this was somehow missed, I guess (I'm the maintainer of the Debian
package, but I didn't get any notification).
>
> Now, while Ubuntu 24.10 and openSUSE Tumbleweed ship AppArmor packages with
support for the `4.0` ABI, Debian unstable still ships 3.1.17, so, to keep
things simple and still ship a single AppArmor profile (developed upstream), I
won't update the profile to ABI 4.0 yet. Updating the profile wouldn't solve
the issue anyway.
>
> So, how do we solve this? We would need to backport that Debian commit to
Ubuntu 24.04 (and possibly 23.10), but I can't seem to register a Launchpad
account to even start the
[process](https://wiki.ubuntu.com/UbuntuBackports#Procedure) (wrong email
address? :smile: ). If somebody could do that, or at least **file an Ubuntu
issue**, that would be great. Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
