[Touch-packages] [Bug 2110626] Re: apparmor fusermount3 profile disallows noatime flag, breaking fuse-overlayfs

Thu, 15 May 2025 01:43:28 -0700 

** Also affects: apparmor (Ubuntu Plucky)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu Questing)
   Importance: Undecided
       Status: New

** Changed in: apparmor (Ubuntu Questing)
       Status: New => Fix Released

** Changed in: apparmor (Ubuntu Plucky)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2110626

Title:
  apparmor fusermount3 profile disallows noatime flag, breaking fuse-
  overlayfs

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Plucky:
  In Progress
Status in apparmor source package in Questing:
  Fix Released

Bug description:
  [ Impact ]

  fusermount3 lacked permissions to mount with noatime, which is needed
  to use fuse_overlayfs.

  [ Test Plan ]

  After installation of the new AppArmor version, the machine might need
  to be rebooted. If a reboot between installation and test plan
  execution is needed for a test to pass, please mention it in the test
  plan execution notes so that we can determine if this is cause for
  verification test failure, expected behavior, or the result of an
  unrelated bug that we are not attempting to fix with this SRU.

   * Install fuse-overlayfs
   * Inside the home directory, make folders "lower", "upper", "work", and 
"mountpoint"
   * Mount a fuse-overlayfs with `fuse-overlayfs -o 
lowerdir=lower,upperdir=upper,workdir=work mountpoint`
   * Without the fix: the mount fails and apparmor generates a log reporting 
"failed flags match"
   * With the fix: the mount should succeed

  [ Where problems could occur ]

  Allowing noatime mount flags for fusermount3 is loosening confinement
  on a profile. However, if a user manually modified the installed
  profiles, then the package upgrade would cause conflicts, and
  rejection of the incoming changes (either by hand during an
  interactive upgrade or automatically during an batch unattended
  upgrade) would result in end users not getting the packaged fix.

  [ Other Info ]

  This issue was originally reported at
  https://gitlab.com/apparmor/apparmor/-/merge_requests/1673.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110626/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to