AFAIK, fix was landed https://gitlab.com/apparmor/apparmor/-/commit/4bb134e4bb950a8c9a1f70a27eb2acd2a35df412
But changelog https://changelogs.ubuntu.com/changelogs/pool/main/a/apparmor/apparmor_4.0.1really4.0.0-beta3-0ubuntu0.1/changelog says that everything was reverted back to 4.0.0~beta. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root Status in AppArmor: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: LXD team have got a report (https://github.com/canonical/lxd/issues/13389) from our user that on the Ubuntu Noble host it's not possible to run Docker containers inside a LXC container. After some investigation, it was discovered that problem connected with AppArmor profile which is shipped by default /etc/apparmor.d/runc (comes from https://git.launchpad.net/ubuntu/+source/apparmor/commit/profiles/apparmor.d/runc?h=ubuntu/noble- devel&id=997aea8111bfa1e03960ae3a40321da73f0a6d96 ) This profile is unconfined and should give all permissions to the runc daemon. But it does not work. Manual adding of "pivot_root," line and executing "systemctl reload apparmor.service" makes it work. After some further investigation it was found that on upstream Linux kernel problem is not reproducible. Our team was able to find a problematic commit: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=dc757a645cfa82f6ac252365df20a36a9ff82760 The following (partial) revert helps to solve the issue on Ubuntu kernel: diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index 74b7293ab971..b12e6bdfefb2 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -678,7 +678,7 @@ static struct aa_label *build_pivotroot(const struct cred *subj_cred, AA_BUG(!new_path); AA_BUG(!old_path); - if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) + if (profile_unconfined(profile) || !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) return aa_get_newest_label(&profile->label); error = aa_path_name(old_path, path_flags(profile, old_path), System info: # uname -a Linux ubuntu 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/os-release PRETTY_NAME="Ubuntu 24.04 LTS" <CUT> To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
