[Touch-packages] [Bug 2079019] Re: Unable to enforce/disable profiles using aa-enforce/aa-disable

Thu, 31 Oct 2024 03:45:46 -0700 

Can we know what the fix is?

I manage to get around this bug by changing the following to passt and
pasta

# diff /etc/apparmor.d/abstractions/passt /tmp/passt.orig
29,30c29,30
<   mount options=(rw, runbindable) -> /,
<   mount                       -> "/tmp/",
---
>   mount options=(rw, runbindable) /,
>   mount               ""      -> "/tmp/",

# diff /etc/apparmor.d/abstractions/pasta /tmp/pasta.orig 
18c18
<   mount                       -> "/proc/",
---
>   mount               ""      -> "/proc/",

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2079019

Title:
  Unable to enforce/disable profiles using aa-enforce/aa-disable

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Trying to enforce an apparmor profile on a newly installed Ubuntu
  24.04 server (ubuntu-24.04-live-server-amd64.iso, updated and
  rebooted) results in the following

  # aa-enforce podman

  ERROR: Operation {'runbindable'} cannot have a source. Source =
  AARE('/')

  
  Searching for runbindable in /etc/apparmor.d shows this

  # grep -r "runbindable*/*" /etc/apparmor.d
  /etc/apparmor.d/abstractions/passt:  mount options=(rw, runbindable) /,

  
  # aa-logprof 

  ERROR: Operation {'runbindable'} cannot have a source. Source =
  AARE('/')

  # aa-disable passt

  ERROR: Operation {'runbindable'} cannot have a source. Source =
  AARE('/')

  # aa-status --filter.profiles=podman
  apparmor module is loaded.
  98 profiles are loaded.
  0 profiles are in enforce mode.
  0 profiles are in complain mode.
  0 profiles are in prompt mode.
  0 profiles are in kill mode.
  1 profiles are in unconfined mode.
     podman
  0 processes have profiles defined.
  0 processes are in enforce mode.
  0 processes are in complain mode.
  0 processes are in prompt mode.
  0 processes are in kill mode.
  0 processes are unconfined but have a profile defined.
  0 processes are in mixed mode.

  # lsb_release -a
  No LSB modules are available.
  Distributor ID:       Ubuntu
  Description:  Ubuntu 24.04.1 LTS
  Release:      24.04
  Codename:     noble

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2079019/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to