AppArmor does mediation post symlink resolution. Using symlinks to move
a file or directories location means the profile for the application
needs to be updated. That is why you see the failure when using symlinks
to move those folders, those applications have not been give access to
the location
Hello,
This information, might be usefull. I've encounter the same problem with a snap
and found the problem. It's quite odd.
It s linked to AppArmor, it secure the snaps.
In my Home directory in Linux I've replaced the default folder (images,
music, videos, etc... ) with symlink with the same
The fix a now upstream according to last comment.
Thanks!
** Changed in: linux
Status: New => Fix Released
** Changed in: snapd (Ubuntu)
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux
The fix for the getattr issue in comment #26-#39 has now landed in
upstream 6.2 and be part of the final release.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot
This is popping up more and looks to be a regression in apparmor. I
don't have a fix yet
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Hi again John,
I managed to fix most of the denials now, and slack successfully starts
up (still quite a few denies, but most can be explained). Took quite a
few new rules. Thank you for your help and insight on this.
I'll post updates as soon as I have them. I need to find the proper
interfaces
Hi John,
Thank you for sharing your thoughts on this. I'll try to look into
experimenting with adding getattr in the seccomp profiles and
investigating the paths it accesses. I'll share if I figure something
out as well.
--
You received this bug notification because you are a member of Kernel
Philip so possibly snapd will need to add some new rules. This isn't a
case of missing on older kernels but the new kernel requiring something
more/new. I need to investigate the why more. There are three potential
options I see
1. this is a regression in apparmor, around the handling of getattr.
Hi John!
After adding the missing rule for /run/user/1000/doc/, those namespace
issues are now gone. However slack still fails to start, with the
following dmesg output:
https://paste.ubuntu.com/p/bbcWZG6qQP/
--
You received this bug notification because you are a member of Kernel
Packages,
So yes those look to be the culprit.
To snap-update.ns.slack profile you will need to add the rule
r @{run}/user/@{uid}/doc/,
you can do this to the generated profile (it will get thrown away when
it gets regenerated but should be sufficient to test). The profiles are
stored in
I reran the test with printk_ratelimit set to 0
https://paste.ubuntu.com/p/cSWg8vJHjB/
It seems there are denials related to the /run/user after changing the
ratelimit
[ 414.009909] audit: type=1400 audit(1675760471.797:304): apparmor="DENIED"
operation="getattr" class="file"
we do have several apparmor denials in there but none of them are
directly related to namespace creation. I have pasted then below just to
make sure they don't disappear when the pastebin is reaped. It is
possible that one of these denials is blocking the creation of a
namespace if its calling a
Yes, sorry.
https://paste.ubuntu.com/p/5w4f6w5CpG/
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Status in Linux:
New
Status in linux
Is there a message in the kernel ring buffer (dmesg) or kernel audit
log?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Status in Linux:
I've been trying to reproduce this on a few different kernels now, I can
not reproduce this with
The default 5.19 kernel that 22.10 comes with (official images, after updating).
The latest mainline 6.1.10 kernel release.
I have 2.58 snapd installed, and on both I can start slack.
I can however
The apparmor patch in this bug is not in the upstream kernel because the
userns mediation code it is patching is not in the upstream kernel. If
the mainline kernel ppa it is failing it will be for a different reason.
--
You received this bug notification because you are a member of Kernel
As per #26, I too am still seeing this with the Mainline PPA kernel on
Ubuntu 22.10
> andi@hotblack:~$ uname -a
> Linux hotblack 6.2.0-060200rc4-generic #202301151633 SMP PREEMPT_DYNAMIC Sun
> Jan 15 16:40:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Don't recall it being an issue in 6.1.x
No
Is the kernel patch considered a workaround? It's not upstream, so if
you install for example a kernel ppa mainline kernel, this issue comes
back.
Is there supposed to be a snapd fix coming?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed
This bug is awaiting verification that the linux-
hwe-5.19/5.19.0-24.25~22.04.1 kernel in -proposed solves the problem.
Please test the kernel and update this bug with the results. If the
problem is solved, change the tag 'verification-needed-jammy' to
'verification-done-jammy'. If the problem
This bug was fixed in the package linux - 5.19.0-21.21
---
linux (5.19.0-21.21) kinetic; urgency=medium
* kinetic/linux: 5.19.0-21.21 -proposed tracker (LP: #1992639)
* cannot change mount namespace (LP: #1991691)
- SAUCE: apparmor: Fix getaatr mediation causing snap
Same here, packages from proposed fixed it for me as well.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Status in Linux:
New
Status in
I can confirm that 5.19.0-21-generic in kinetic-proposed does indeed fix
this issue for me.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Status in Linux:
fwiw; I can confirm that the proposed patch also fixes issues with LXD
virtual machines and block devices that was present on 5.19.0-19 and
5.19.0-20 ref bug 1992564.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** Changed in: linux (Ubuntu)
Importance: Undecided => Critical
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Status in Linux:
New
The attachment "kernel patch to apparmor" seems to be a patch. If it
isn't, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
Note: this bug report has two parts to it.
1. Snap issue: mkdir failing covered by bug 1951210 and fixed in
https://github.com/snapcore/snapd/pull/12127
2. apparmor module issue in the kernel, covered by patch in #18
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen
The following patch fixes the issue for me.
** Patch added: "kernel patch to apparmor"
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1991691/+attachment/5623421/+files/0001-UBUNTU-SAUCE-apparmor-Fix-getattr-mediation-causing-.patch
--
You received this bug notification because you
** Changed in: linux (Ubuntu)
Milestone: None => ubuntu-22.10
** Changed in: snapd (Ubuntu)
Milestone: None => ubuntu-22.10
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
This is not related to the change in lp1990064. If it was you would see
log messages similar to
apparmor="DENIED" operation="userns_create" class="namespace" info="User
namespace creation restricted" error=-13 profile="unconfined" pid=21323
comm="steamwebhelper" requested="userns_create"
Sorry for not responding earlier. The logs already posted by others mirror what
I have seen.
The work-around for me is also to 5.19.0-18-generic (or rather
6.0.0-06.202210022231 from the mainline PPA).
It feels like the problem might be related to the kernel change discussed in
So re: issue/132 that code path has always been enabled. How we have
worked around it is by implicitly adding the GETATTR perm to the
mapping.
Their were significant changes around permission lookup and mapping but
not around how/where the check is done, so I assume it is in the mapping
code
Thanks Alex and John for jumping in -- I did some investigation and I'm
more and more persuaded that this is indeed a kernel (AppArmor bug).
The good thing is that this is 100% reproducible by just installing the
latest 22.10 daily images: firefox starts with warnings, and slack does
not start at
I am not the original author but it affects me too:
apparmor 3.0.7-1ubuntu1 amd64user-space parser utility for
AppArmor
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
There is an apparmor userspace update in flight as well can you confirm
your apparmor version by adding the output of
dpkg -l apparmor
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: linux (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Status in Linux:
37 matches
Mail list logo
