This is failing because the apparmor_parser before the 3.0 release would build its capability list from the installed kernel headers. The apparmor_parser here was built against a kernel without support for cap 'bpf'
root@priv:~# apparmor_parser -V AppArmor parser version 2.13.3 Copyright (C) 1999-2008 Novell Inc. Copyright 2009-2018 Canonical Ltd. This was fixed in 3.0 by having a static caps list (with full mapping info) and the dynamic auto-generated list (against the kernel headers) that is used to check that the static list has not become stale. In addition the parser can pull kernel supported caps straight from the apparmor kernel module (it will however be missing the mapping info). To fix similar issues upstream a limited version of the 3.0 fix was backported to 2.13. And release in 2.13.5. Ideally we would pull 2.13.6 in but at a minimum we need to pick 726c3fc1 parser: Make sure apparmor can build on old kernels 3f8cfac3 parser/Makefile: fix generated cap comparison against known list ad45b807 parser: add CAP_BPF/PERFMON; convert to pregenerated cap list cd4a1613 Add CAP_BPF and CAP_PERFMON to severity.db 60007d3f parser: Add warning to capability_table about the need to update the Makefile ef8d5141 parser/Makefile: use LC_ALL=C when invoking sed 4e194b2f parser: unify capability name handling ed61e482 parser: cleanup capability_table generation by dropping cap sys_log efb6952e parser: Move to a pre-generated cap_names.h Now for the bits I didn't quite figure out: - Why does snapd think that the parser supports `bpf` when it in fact doesn't? My guess is that its checking the kernel for support of bpf and not the parser. - Why does this only seem to hit with `distrobuilder`, testing with `hello-world` doesn't hit this issue though we've seen similar behavior from the `go` snap, is it a bug that only triggers on classic snaps? my guess is that it will depend on what connections (plugs) are used. Classic snaps in general shouldn't trigger this because they are run unconfined, but LXD triggers it because it has its own profile. Only snaps that plug a connection that requires bpf would trigger this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964636 Title: Incorrect handling of apparmor `bpf` capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1964636/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
