It seems it comes down to a change in /lib/apparmor/apparmor.systemd which now refuses to load profiles when running in a container.
Example with 3.0: $ /lib/apparmor/apparmor.systemd reload Not starting AppArmor in container Example with 2.x /lib/apparmor/apparmor.systemd reload Restarting AppArmor Reloading AppArmor profiles This also explains why snap profiles work, the are loaded by snapd and not by apparmor.service. I'll attach a repro script and full logs of good and bad case. ** Attachment added: "repro script comparing current and proposed apparmor version" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+attachment/5413150/+files/apparmor-repro.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
