This breakage is due to the latest AppArmor packaging enabling a
unshare-userns-restrict profile by default. In most cases, this allows
more usage of unshare than before (while limiting the attack surface
exposed by capabilities in unprivileged user namespaces), but sbuild is
one of the cases where the new profile imposes more restrictions instead
of loosening them. We are working on an updated sbuild profile to fix
this.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2098906
Title:
apparmor breaks sbuild with unshare on plucky
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
After today's apparmor updates and restarting my computer, I can no
longer use sbuild's unshare backend. This breaks the (newly)
recommended way to build .deb packages locally from Ubuntu 25.04. (See
https://lists.ubuntu.com/archives/ubuntu-
devel/2024-December/043193.html )
Journal excerpt
======
Feb 19 17:24:29 kernel: audit: type=1400 audit: apparmor="AUDIT"
operation="exec" class="file" info="ix fallback" profile="unshare"
name="/usr/bin/newuidmap" pid=10846 comm="unshare" requested_mask="x"
fsuid=1000 ouid=0 target="unpriv_unshare//&unshare"
Feb 19 17:24:29 kernel: audit: type=1400 audit: apparmor="DENIED"
operation="capable" class="cap" profile="unpriv_unshare" comm="newuidmap"
capability=1 capname="dac_override"
ProblemType: Bug
DistroRelease: Ubuntu 25.04
Package: apparmor 4.1.0~beta5-0ubuntu2
ProcVersionSignature: Ubuntu 6.12.0-15.15-generic 6.12.11
Uname: Linux 6.12.0-15-generic x86_64
ApportVersion: 2.31.0-0ubuntu5
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Wed Feb 19 17:25:41 2025
InstallationDate: Installed on 2024-04-12 (313 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Beta amd64 (20240410.2)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-6.12.0-15-generic
root=UUID=7a431ed1-30e4-4377-bb6e-1f81480f31ba ro quiet splash
crashkernel=2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M
vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to plucky on 2024-12-18 (63 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098906/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
