Not strictly related to the original issue, but I just went through the
included abstractions, and someone more familiar with akonadi will
easily spot opportunities for additional restrictions. For example I
would be surprised if mysqld needs netlink or the net_bind_service
capability, which leak
Thank you for using Ubuntu and reporting a bug. This is not a bug in
AppArmor, but in the akonadi Ubuntu package. I'm closing the AppArmor
task, but leaving the akonadi task open and adding an 'apparmor' tag.
** Tags added: apparmor
** Changed in: apparmor
Status: New => Invalid
--
You
** Description changed:
The AppArmor profile usr.sbin.mysqld-akonadi is not compatible with
seccomp in general and the no_new_privs bit specifically, because it
includes a profile transition.
I came across this when I tried to write a profile for the Firejail
sandbox, and had to omit
** Attachment added: "proposal for usr.sbin.mysqld-akonadi"
https://bugs.launchpad.net/ubuntu/+source/akonadi/+bug/1759084/+attachment/5092388/+files/draft%20usr.sbin.mysqld-akonadi
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Also affects: akonadi (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759084
Title:
mysqld-akonadi profile does not support seccomp
To manage
