[Bug 2064096] Re: Services fail to start in noble deployed with TPM+FDE
Unfortunately there isn't a way to do this via abstractions or configs. It would be possible to add a patch to the userspace and SRU it. This would be the quickest solution while we work on the necessary kernel changes to make the use of attach_disconnected unnecessary. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064096 Title: Services fail to start in noble deployed with TPM+FDE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064096/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064096] Re: Services fail to start in noble deployed with TPM+FDE
Does the profile have the attach_disconnected flag set?
Does the profile have the attach_disconnected flag set while in complain
mode?
It looks to me that we are looking at open file descriptors that exist
out of the current namespace. This will result in a partial unattached
path that will not be allowed in complain mode. The denied path will not
start with /.
If the attach_disconnected flag is add, that will attach the
disconnected path to the root of the current mount namespace. Which is
what I believe is happening with
/systemd/...
vs
/run/systemd/..".
Unless unconfined is involved, both the ends of a socket are required to exist
in the namespace for v7/v8 unix socket mediation (what is in noble). Unconfined
is special in that it can delegate access to an open fd which is not
generically allowed atm.
If all the above is correct then you can use the
attach_disconnected.path flag to attach the accesses to disconnected
fds.
The full flags parameter to apparmor would then look like
profile example flags=(attach_disonnected
attach_disconnected.path=/run/) { ...)
and for complain mode
profile example flags=(complain attach_disonnected
attach_disconnected.path=/run/) { ...)
This of course is a less than satisfactory work around. There is work to
address the above better but none of it is in noble.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064096
Title:
Services fail to start in noble deployed with TPM+FDE
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064096/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
So while I don't think we are where snapd can get rid of the snap- confine.internal snippets, with it now vendoring a more recent apparmor, a lot of these can drop away. It doesn't need to detect capabilities anymore. It can just specify deny capability perfmon, and it will work, for all kernels. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
@neigin: yes the capability to resolve this exists. So now it is a matter of getting it functioning in snapd for these cases. This will get resolved I just can't say when it will land. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
@u-dal: thankyou, though I have to say I am at a loss as to why the snap version of thunderbird is trying to access ``` /media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock /media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock ``` what kind of configuration have you done? I see you are copying data from /media/lubuntu/drive/startup/ into the snap, is something in one of these a symlink into /media/lubuntu/drive/hq/email/thunderbird? As for why this used to work and doesn't now is thunderbird unless you opted into it (enabled the profile) was not confined. The snap thunderbird is confined and defines down to the file what thunderbird has access to. Snaps however are not under normal apparmor control, and make it some what hard for the user to extend what is allowed. There are a few things that can be done to work around the issue but I am still trying to understand why thunderbird is trying to access that location. things we can do to work around this issue immediately, so you can have access to your mail 1. enable snapd prompting in the new security center (its a flutter based application, I am not sure if lubuntu is shipping it by default). If this is a location that falls under what is allowed to prompt (I am not sure it is), snapd we prompt you about allowing the access, store your response and it will be allowed in the future. 2. reinstall thunderbird snap in dev mode 3. manually update the snap profile. There will have to be script that recopies, and reloads, as snap can and will regenerate and reload when it refreshes. 4. uninstall the thunderbird snap and install thunderbird as a deb via the mozilla ppa. You can opt into an apparmor profile if you want, in this case you get full control over the profile. 5. disable apparmor in grub. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
So my supposition on the overlay looks to be incorrect. Would you being willing to attach your full mount information? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
For the thunderbird issue I have created https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
@u-dal: can you attach the overlay mount information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] [NEW] thunderbird snap on live systems "already running" but not responsive
Public bug reported: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Attachment added: "aa-status and systemctl output" https://bugs.launchpad.net/bugs/2064363/+attachment/5773407/+files/comment-101.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
** Attachment added: "dmesg denial output" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773409/+files/comment-106.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
** Attachment added: "dmesg denial output" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773408/+files/comment-106.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: the problem with firefox (it has a snap profile and is allowed access to user namespaces) is different than with chrome (no profile loaded), but still might be apparmor related. Can you look in dmesg for apparmor denials ``` sudo dmesg | grep DENIED ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: are you running in a live cd environment? Something odd is happening on your system, with some profiles loaded and systemctl reporting ConditionPathExists=!/rofs/etc/apparmor.d -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: This sounds like the apparmor policy is not being loaded can you please provide the output of ``` sudo aa-status ``` and ``` sudo systemctl status apparmor ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063976] Re: Apparmor breaking nsjail in AOSP
> To clarify, this is not something that can be solved upstream in apparmor, and a profile can't be accepted due to the nature of the path location? correct, if it is a unprivileged user writable location it can't be fixed entirely upstream. It is possible for us to ship a profile that is disabled in some way but that takes a privileged user action to enable. Eg. we could ship a profile using the xattrs attachment from above, then the user would be responsible for setting the xattr with setfattr. packaging nsjail is an option for Ubuntu but like you said it wouldn't directly address previous versions and AOSP probably wouldn't like it. With that said this isn't going to be an Ubuntu only restriction, the security community in general is looking at different ways of restricting unprivileged user namespaces. SElinux has picked up some ability to mediate them, but isn't really applying it in policy yet. The OSS email list (oss-secur...@lists.openwall.com) has been discussing other options as well. The number of exploit chains associated with them has forced us to start locking them down. The AppArmor solution will be available to other distros as well, it already available upstream in the kernel and apparmor 4.0. AppArmor side there is work on aa-notify that we are looking at SRUing. That will help desktop users if they have it installed. Where they can get a notification that will take them to a simple gui that will allow them to click enable (with a password) instead of having to know the details underneath. It won't be integrated into the security center or pretty. But a little better than the current situation for the user. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063976] Re: Apparmor breaking nsjail in AOSP
running privileged applications out of home is dirty. But it is the
situation we are in with user namespaces and app images as well. Ubuntu
will not ship a profile for a privileged executable in the users home or
a writable location of an unprivileged user. As this can be leveraged to
by-pass the restriction, or it requires us to expand user mediation in
such a way that user writable locations with profiles defined become
privileged. Atm we are not adding addition restriction to the user. This
allows the user to define a profile that allows by-passing the
restriction. A user opting to create a profile in a user writable
location is less dangerous as the location becomes non-standard so it
becomes harder to exploit. It also requires the user to take a
deliberate privileged action to add the profile.
Generally for the nsjail profile an attachment like
@{HOME}/android-*/prebuilts/build-tools/linux-x86/bin/nsjail
is slightly better, but still not great. Atm it is very close to the
same, but there are improvements coming that will tighten @{HOME} to a
user specific kernel variable which will be better than /**.
The other way to handle this would be setting the security xattr and
using that as part of the attachment.
```
sudo setfattr -n security.apparmor -v nsjail
```
and define the profile as something like (you can make the path more
specific if you want).
```
profile nsjail /**/nsjail xattrs=(security.apparmor="nsjail")
flags=(unconfined) {
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063976
Title:
Apparmor breaking nsjail in AOSP
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063976] Re: Apparmor breaking nsjail in AOSP
Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the behavior of unprivileged user namespace mediation. With the unprivileged_userns profile loaded, when a user namespace is created by an unprivileged unconfined application the task will be transitioned into the unprivileged_userns profile. The unprivileged_userns profile will then deny privileged operations capability, mount etc. Without the unprivileged_userns profile loaded, the creation of the user namespace will be denied. Through experimentation we have learned that many applications behave better (handle the errors better, eg. qtwebkit will handle the error and fallback to using a sandbox without usernamespaces while without the profile it crashes) with the unprivileged_userns loaded. So that has become the default behavior. You can experiment with changing the behavior by manually unloading the unprivileged_userns profile using sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns nsjail will likely require a profile to work, please see https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues, 1.19.16 installs fine and runs, but in a degraded sandbox mode. So adding a profile for it would be beneficial The appimage version of Belena Etcher unfortunately fails to run. We can not provide a default profile for the appimage unless it the user moves it to the default deb install location (ie. installs it to the system, instead of running it from their home dir). Users are free to add their own confinement profiles for appimages. Directions are in https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
The Wike fix is coming in the next SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056627] Re: PHPStorm crashes when opening a project
Its not just that app images don't have a default path, we can handle that as well. It is that user namespaces have become a privileged operation, and the user must take some privileged action to allow applications to use them. That can be any of - moving the application into a well known privileged location that has a profile already associated with it. - creating a profile for the application where it is installed in their unprivileged location. This is currently allowed but problematic in that unprivileged code code potentially write to it and we are not currently restricting unprivileged applications from writing these locations. But that will come - tagging the application with the correct security label. The important part is the user must take a privileged action to allow applications that are using user namespaces to gain privilege. Note, applications that use user namespaces that don't require privilege are allowed, its only applications that require privilege within the user namespace. Unfortunately appimages that use use namespaces need the user to take one of the above privileged actions. And unfortunately Ubuntu can not "fix" this without disabling the protection. There are plans to improve the user experience and make this easier for users to do, but atm it is a manual process. The instructions provided by Seth will enable you to get the appimage running. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056627 Title: PHPStorm crashes when opening a project To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063513] Re: torbrowser unusable - not accepting keyboard input
Unless there are other denials, this is not related to bug #2046844 Try adding the following rule to the torbrowser_firefox profile allow rw /run/dbus/system_bus_socket, and then reloading it with either sudo systemctl reload apparmor or by using sudo apparmor_parser -r /path/to/torbrowser_firefox_profile where /path/to/torbrowser_firefox_profile which is likely in /etc/apparmor.d/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063513 Title: torbrowser unusable - not accepting keyboard input To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/2063513/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2039294] Re: apparmor docker
To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent, if
if using the value of unconfined, or if @[runc} is used multiple times
within the profile.
@{runc}={peer,unconfined}
signal (receive) peer=@{runc},
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2039294
Title:
apparmor docker
To manage notifications about this bug go to:
https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2057943] Re: Can't disable or modify snap package apparmor rules
I will note that current snap behavior is by design. Not saying that they couldn't make this easier but the snap side is functioning the way it was desiged. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2057943 Title: Can't disable or modify snap package apparmor rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062441] Re: Apparmor breaks Joplin Desktop
unfortunately Joplin is only shipped as an appimage for Linux. Which
means we can not ship a profile for it by default that will allow it to
use capabilities within the unprivileged user namespace that the
electron embedded browser is attempting to use.
This means that the user is required to intervene to enable an electron
based appimage so that it can be run. Unfortunately for 24.04 this means
some manual command line based intervention, instead of using a GUI like
on MacOS when a user needs to enable an application downloaded from the
internet.
This change is deliberate to increase the security of Ubuntu systems,
and while we will work on improving the user experience the requirement
to have the user approve applications that are using privileged kernel
interfaces there is no plan to revert this change. You can read more
about this in the release notes https://discourse.ubuntu.com/t/noble-
numbat-release-notes/39890
If you look in the kernel logs, (or dmesg) you will find an message an apparmor
message similar to below showing what is causing your issue.
```
$ sudo dmesg | grep "apparmor=\"AUDIT"
[ 85.468352] audit: type=1400 audit(1713509122.843:224): apparmor="AUDIT"
operation="userns_create" class="namespace" info="Userns create - transitioning
profile" profile="unconfined" pid=3058 comm="@joplinapp-desk"
requested="userns_create" target="unprivileged_userns"
```
and
```
$ sudo dmesg | grep DENIED
[ 85.469966] audit: type=1400 audit(1713509122.847:225): apparmor="DENIED"
operation="capable" class="cap" profile="unprivileged_userns" pid=3065
comm="@joplinapp-desk" capability=21 capname="sys_admin"
```
Unfortunately unprivileged user namespaces are using privileged kernel
interfaces (above protected by capabiity sys_admin) that have now been
restricted to known applications because they have been used in a lot of
exploit chains.
you can add a profile for the application by copying the profile from
below into /etc/apparmor.d/ and then updating by replacing
```/home/jj/Downloads/Joplin-2.14.20.AppImage``` with the location you
are running your joplin appimage from.
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile joplin /home/jj/Downloads/Joplin-2.14.20.AppImage flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Once that is done you can do
```
$ sudo apparmor_parser -r /etc/apparmor.d/joplin
```
that will allow you to run joplin without having to reboot. Having the
jplin profile in /etc/apparmor.d/ will ensure it is reloaded if you
reboot.
** Changed in: apparmor (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062441
Title:
Apparmor breaks Joplin Desktop
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2062441/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3
the kernel team is already rolling kernels with the fix for 2061851 but it is also building in https://launchpad.net/~apparmor- dev/+archive/ubuntu/apparmor-devel ppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061869 Title: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3
This is likely a dup of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061869 Title: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
More applications will be getting confinement, on an individual level I don't think it will be everything from debs. In this case its because it uses unprivileged user namespaces. Which is now being restricted and treated as a semi-privileged because it gives access to several privileged kernel interfaces. Those privilege kernel interfaces should be in theory safe, but the reality is that they aren't. Unprivileged user namespaces are the first step in almost every kernel exploit chain for the last 7 or so years. In pwn2own last year 4 of the 5 exploits used unprivileged user namespaces. This year all 4 did, however if you turn the restriction on (present in 23.10 but not enabled by default) everyone one of the exploits are blocked. The current step is far from perfect, but we are working on improving it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060810 Title: Wike does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
There are vague plans, yes. The time line of it has not been scoped, but it would be something akin to what happens on macos when you try to run a downloaded application for the first time and you have to go into their security config to allow it. The application will still be "confined" but it may not get its own individual profile and share one with others the user has downloaded. The unconfined profile's will also get developed into full profiles. The plan is that unconfined profiles won't be a standard thing but an exception. Another thing going to happen in the next upload is bwrap gets its own profile. Applications using bwrap might work through the bwrap profile. There will still be cases where they will need their own profile, but the bwrap profile will cover several cases that don't work today. Applications that have already received an unconfined profile will continue to work that way. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060810 Title: Wike does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060767] Re: Foliate does not run in Ubuntu 24.04 due to apparmor issue
The fix has been merged upstream in https://gitlab.com/apparmor/apparmor/-/merge_requests/1209 it will be in the next release. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060767 Title: Foliate does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060767/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@arraybolt3: Answer to your question. bwrap requires capabilities within the user namespace. unshare is a little more forgiving in that what it requires depends on the options passed but most of the options also require capabilities within the user namespace. The potential solution I mention is comment #91 is to define a profile for bwrap that allows it capabilities within the namespace but does not allow its children capabilities within the namespace, so that bwrap and unshare can not just launch an application to by-pass the restriction. This seems to work well for unshare but there are cases where bwrap is failing in unexpected ways (which is still being debugged). At this late stage the plan is to try to get a fix for bwrap in but if necessary to file an SRU if necessary for the bwrap fix. So yes this is being worked on and even if the fix isn't present on day one we do plan to get it fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined profile, as that allows for an arbitrary by-pass of the restriction. There is a potential solution in the works that will allow for bwrap and unshare to function as long as the child task does not require permissions but at this point there are still some issues with it that are being debugged. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
It is in the SRU queue and the current ETA is April 15 to land in the proposed pocket (archive proposed not security proposed ppa), there is a caveat that the recent xz backdoor has caused some "fun" on the archive side and could potentially cause some delays. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060100] Re: denials from sshd in noble
Fixed by MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1196 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060100 Title: denials from sshd in noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060100] [NEW] denials from sshd in noble
Public bug reported: 2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system" 2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined" ** Affects: apparmor (Ubuntu) Importance: Undecided Status: Confirmed ** Affects: apparmor (Ubuntu Noble) Importance: Undecided Status: Confirmed ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Also affects: apparmor (Ubuntu Noble) Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060100 Title: denials from sshd in noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
We have an update of the firefox profile coming that supports the /opt/firefox/firefox location used as the default install for the firefox downloaded directly from mozilla.org If you are running firefox out of your home directory, that will not be directly supported and you will need to chose to do one of the following to fix the issue. 1. The recommended way is updating the firefox profile in /etc/apparmor.d/firefox by adding the location you have firefox installed, and then reloading the profile with sudo apparmor_parser -r /etc/apparmor.d/firefox. 2. You can disable user namespaces, this will keep firefox from trying to use them as part of ts sandbox https://lwn.net/Articles/673597/ 3. the least recommended way to fix this is you can disable the finer grained user namespace restrictions as outlined in https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user- namespaces ** Changed in: qmapshack (Ubuntu) Status: Confirmed => Fix Released ** Changed in: qutebrowser (Ubuntu) Status: Confirmed => Fix Released ** Changed in: rssguard (Ubuntu) Status: Confirmed => Fix Released ** Changed in: supercollider (Ubuntu) Status: Confirmed => Fix Released ** Changed in: geary (Ubuntu) Status: Confirmed => Fix Released ** Changed in: goldendict-webengine (Ubuntu) Status: Confirmed => Fix Released ** Changed in: kchmviewer (Ubuntu) Status: Confirmed => Fix Released ** Changed in: loupe (Ubuntu) Status: Confirmed => Fix Released ** Changed in: notepadqq (Ubuntu) Status: Confirmed => Fix Released ** Changed in: pageedit (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056297] Re: Non-flatpak Firefox-based browsers crash with kernel 6.8.0-11-generic in 24.04
*** This bug is a duplicate of bug 2046844 *** https://bugs.launchpad.net/bugs/2046844 I will add here as well that we have an update of the firefox profile coming that supports the /opt/firefox/firefox location used as the default install for the firefox downloaded directly from mozilla.org -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056297 Title: Non-flatpak Firefox-based browsers crash with kernel 6.8.0-11-generic in 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2056297/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056297] Re: Non-flatpak Firefox-based browsers crash with kernel 6.8.0-11-generic in 24.04
*** This bug is a duplicate of bug 2046844 *** https://bugs.launchpad.net/bugs/2046844 Hi cipricus, can you specify how and where your firefox was installed? We are trying to support multiple variations including downloading directly from mozilla if it is installed to the standard location? mruffell is correct in his assessment that this is due to firefox not correctly handling user namespace mediation. This can be seen in your dmesg with the following messages [ 69.033622] audit: type=1400 audit(1709714939.278:138): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=2922 comm=495043204C61756E6368 requested="userns_create" target="unprivileged_userns" [ 69.037108] audit: type=1400 audit(1709714939.282:139): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=2982 comm=53616E64626F7820466F726B6564 capability=21 capname="sys_admin" Unfortunately firefox does not handle the error returned when it tries an operation that require sys_admin capability gracefully resulting in the crash. mruffell has already provided all the relevant links so I will just supplement that information 1. The recommended way is updating the firefox profile in /etc/apparmor.d/firefox by adding the location you have firefox installed, and then reloading the profile with sudo apparmor_parser -r /etc/apparmor.d/firefox 2. You can disable user namespaces, this will keep firefox from trying to use them as part of ts sandbox https://lwn.net/Articles/673597/ 3. the least recommended way to fix this is you can disable the finer grained user namespace restrictions as outlined in https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user- namespaces -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056297 Title: Non-flatpak Firefox-based browsers crash with kernel 6.8.0-11-generic in 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2056297/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@coeur-noir: Are you installing firefox to /opt/ as recommended or using it local in your user account? as for bwarp, maybe it is known to be problematic. It is allowed to run and to create a user namespace but it is denied all capabilities within the namespace. Can you run sudo dmesg | grep apparmor and add the information here. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
** Changed in: linux (Ubuntu Focal) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
1. Yes. The backport was for 5.15 jammy kernels including HWE derivatives. The user space SRU was done in bug https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146 which included Focal. The intent being Focal will only support mqueue if it is using and HWE kernel. 2. Yes that makes sense. I have added a linux-hwe entry for focal ** Also affects: linux-hwe (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-hwe (Ubuntu Jammy) Status: New => Invalid ** Also affects: livecd-rootfs (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: linux-hwe (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8
So what I think is going on from a first pass look at this is that We are seeing a change in kernel behavior around exec. The 6.8 has a known change here, that doesn't normally trigger because unconfined is delegating access into the profile. However in the lxd case, unconfined can is not delegating access it the profile needs access to the application. the accompanying patch should fix the issue, and does not actually grant anymore permission that was already required, it was just being delegated in by unconfined. ** Patch added: "apparmor-add-execmap.patch" https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5758964/+files/apparmor-add-execmap.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8
Do we know if there is a difference in the kernel between the runs? The 2.0.0.0~0ubuntu3 autopackage run log I was pointed at was on a Linux 5.4.0-170-generic #188-Ubuntu Do we know what kernel that 2.0.0-0ubuntu7 is failing on? There was a change to when security checks were made in on the exec path, this particular denial makes me wonder if we are seeing an artifact of that here. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2057937] Re: apt-news.service reporting errors after ubuntu-pro-client install
So it depends on what you mean by enabled. The standard check to see if apparmor is enabled is to check the kernel for its presence, and if the kernel module reports that it is enabled. This is a separate state from if policy is loaded. The apparmor library generally provides the check, but it can statically linked in, or even hard coded. Systemd statically links the library so it is only a build dependency not a run time. In the systemd case if the module is enabled in the kernel /sys/module/apparmor/parameters/enabled == Y and securityfs is mounted, then apparmor is considered enabled, and ready to accept policy. As for the default policy, that will depend. Generally you are only looking at unconfined. But it is possible to load policy in early boot (either initrd, or systemd vis /etc/apparmor/earlypolicy). It is even possible to compile policy into the kernel. So technically in these cases you do not actually need the apparmor userspace package installed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2057937 Title: apt-news.service reporting errors after ubuntu-pro-client install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2057937/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@ajg-charlbury: no apparmor beta3 has not landed in proposed yet, we are working on the upload now. firefox separately have added a bug fix that will detect when the user namespace/capabilities are denied and fallback without crashing but it disables the full sandbox. the apparmor-beta3 fix should enable firefox to function with the full sandbox. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@ajg-charlbury: yes, firefox we are well aware of the problem, the firefox profile has been tweaked for beta3 (landing this week) so that it should work with the new deb. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@arraybolt3: qutebrowser should be fixed in beta3 ** Changed in: qutebrowser (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: qmapshack (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: notepadqq (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: pageedit (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: qmapshack should be fixed in beta3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: I have been able to verify that privacybrowser is not working. However it is not due to the apparmor user namespace restrictions. I get the following segfault out of dmesg [ 1591.466016] privacybrowser[7743]: segfault at 8 ip 70bb4dd11ccc sp 7ffd5c6587e0 error 4 in libQt5Core.so.5.15.12[70bb4da8e000+335000] likely on CPU 0 (core 0, socket 0) [ 1591.466026] Code: ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 98 00 00 00 48 89 55 80 <48> 8b 5f 08 89 b5 7c ff ff ff 64 48 8b 04 25 28 00 00 00 48 89 45 I recommend opining a separate bug to track the issue. ** Changed in: privacybrowser (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: pageedit should be fixed in beta3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: notepadqq should be fixed in beta3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: there are no updated deb packages in the ppa for kiwix. the kiwix appimage worked for me. kiwix flatpak worked for me. I am not sure what you were seeing. But I we are going to need more information. ** Changed in: kiwix (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
hi @vvaleryan-24, I have been able to replicate the crash you are seeing but it is not do to the user namespace restriction. The restrictions logging does not happen, and I can put it in an unconfined profile and it still doesn't help. From dmesg I find the following segfault [79854.520976] gpk-application[19250]: segfault at 8 ip 5930eec2dba8 sp 7fff471b6b70 error 4 in gpk-application[5930eec24000+d000] likely on CPU 1 (core 0, socket 1) [79854.520985] Code: 85 ff 0f 85 72 fd ff ff e9 72 fd ff ff 0f 1f 44 00 00 48 8b 44 24 30 48 8d 15 37 46 00 00 be 10 00 00 00 48 8d 3d c2 34 00 00 <48> 8b 48 08 31 c0 e8 6d 79 ff ff c7 43 04 00 00 00 00 48 8b 7b 50 my recommendation is we move debugging over of this to the other bug. ** Changed in: gnome-packagekit (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046843] Re: Gnome Packagekit crashes when entering a package name search in Ubuntu Noble
I have confirmed this is not due to the AppArmor user namespace restriction. When trying to search for an application the application will crash with the following segfault [79854.520976] gpk-application[19250]: segfault at 8 ip 5930eec2dba8 sp 7fff471b6b70 error 4 in gpk-application[5930eec24000+d000] likely on CPU 1 (core 0, socket 1) [79854.520985] Code: 85 ff 0f 85 72 fd ff ff e9 72 fd ff ff 0f 1f 44 00 00 48 8b 44 24 30 48 8d 15 37 46 00 00 be 10 00 00 00 48 8d 3d c2 34 00 00 <48> 8b 48 08 31 c0 e8 6d 79 ff ff c7 43 04 00 00 00 00 48 8b 7b 50 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046843 Title: Gnome Packagekit crashes when entering a package name search in Ubuntu Noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-packagekit/+bug/2046843/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
this will be fixed in Beta ** Changed in: kchmviewer (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: rssguard (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: supercollider (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
sorry this won't be fixed in Beta3 that note was for goldendict ** Changed in: gnome-packagekit (Ubuntu) Assignee: John Johansen (jjohansen) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Will be fixed in Beta3 ** Changed in: goldendict-webengine (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
we will be fixed in Beta3 ** Changed in: gnome-packagekit (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
I have tested gnome-packagekit and it never trigger unprivileged user namespace mediation. Can you please provide more information on how you triggered it. ** Changed in: gnome-packagekit (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
** Changed in: loupe (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) ** Changed in: geary (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) ** Changed in: firefox (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
supercollider will work on current noble. Since it is using QTWebEngine it has a graceful fallback when capabilities within the user namespace are denied. supercollider will have a profile and be fixed in Beta3, so it doesn't even have to do the fallback. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
I have tried freecad and unprivileged user namespace restrictions are
not the problem. freecad snap works, freecad ppa does not have a noble
build yet but the mantic build can be made to work.
freecad daily appimage: works
freecad appimage: stable fails with mesa or qt errors depending on how/where it
is started. Below is a paste of the error
MESA-LOADER: failed to open zink: /usr/lib/dri/zink_dri.so: cannot open shared
object file: No such file or directory (search paths
/usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
failed to load driver: zink
MESA-LOADER: failed to open swrast: /usr/lib/dri/swrast_dri.so: cannot open
shared object file: No such file or directory (search paths
/usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
failed to load driver: swrast
** Changed in: freecad (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@sudipmuk loupe should be fixed in Beta3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@eeickmeyer geary should be fixed in Beta3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@guyster, @eldmannen+launchpad, @valeryan-24 Firefox dailies now have a work around, by detecting and disabling the user namespace. The proper fix that should allow firefox to still use the user namespace for its sandbox will land in Beta3, landing early next week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046477] Re: Enable unprivileged user namespace restrictions by default
@pitti: yes this intended. At this stage we are essentially enumerating the known users of unprivileged user namespaces. We can ship the profile for you or you are welcome to ship it. In the future this is going to gradually tighten, some of the "unconfined" profiles will be developed into real profiles, unconfined (including these profiles) will get tied into integrity checks, or require user exceptions in the security center, etc. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046477 Title: Enable unprivileged user namespace restrictions by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2047256] Re: Ubuntu 24.04 Some image thumbnails no longer displayed
** Changed in: nautilus (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2047256 Title: Ubuntu 24.04 Some image thumbnails no longer displayed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2047256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046477] Re: Enable unprivileged user namespace restrictions by default
It solves several problems, but not all. With regard to unprivileged user namespace mediation it should fix - mscode - nautilis - devhelp - element-desktop - piphany - evolution - keybase - opam the element-desktop is still known to have some issues, which are on the snapd side. It needs to add some interfaces etc. there is a beta3 coming early next week with additional fixes coming. The full set won't be finalized until beta3 is rolled this weekend. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046477 Title: Enable unprivileged user namespace restrictions by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@valeryan-24 ModuleNotFoundError: No module named 'imp'" says that your Gpodder issue is not related to this bug. You are missing a dependency the 'imp' module. If Gpodder is packaged it will need to add that as part of its install dependencies. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
the plasmashell profile is necessary for it to work under unprivileged user namespace restrictions. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/2056696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1993837] Re: apparmor profile libvirt-qemu is too permissive
Yeah work needs to be done on this. Ideally it will go into upstream, but I expect we (Canonical/Ubuntu) will have to do the work. The issue is really just one of time, and priority. We have a huge backlog so unless this gets prioritized its not going to happen soon. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1993837 Title: apparmor profile libvirt-qemu is too permissive To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1993837/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
** Changed in: steam (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
the rejects here are all from the snap.element-desktop.element-desktop profile. We will need to dig into that profiles permissions. If its getting all the right paths correct then I suspect the peer_label match might be the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/2056696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2057943] Re: Can't disable or modify snap package apparmor rules
If you are admin of your system, you can manually replace snap profiles. But there are some caveats in that snapd doesn't really want this. It manages its profiles, dynamically regenerates and replaces them etc. You are correct that the tooling doesn't work here. It expects the abstractions to be in the same directory as the profile, which snapd profiles dir doesn't do. I put this as a wish list as its a feature development request to make the tooling support abstractions in a different location than the profile. ** Changed in: apparmor (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2057943 Title: Can't disable or modify snap package apparmor rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
Yes, will do I added both reference you provided to the upstream merge commit and all fixes/closes references will be going into the changelog. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2039294] Re: apparmor docker
@gvarouchas, you need to be more specific. There are a couple interrelated issues in this bug. What is the exact Denial message you are getting. The will look something like the denial messages in comment 5. You can find them using sudo dmesg | grep DENIED or journalctl -g apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056517] Re: VS Code profile still broken.
This is now moving forward and should show up in proposed soon. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056517 Title: VS Code profile still broken. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056517] Re: vsode profile still broken
I won't promise we will get to fixing PHPStorm or Jetbrains before release, but without a bug they certainly won't get fixed, so yes it is worth filing a bug for them. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056517 Title: vsode profile still broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056517] Re: vsode profile still broken
The fix for vscode is currently in apparmor 4.0.0-beta2-0ubuntu3 pending a Feature Freeze exception. If the feature freeze exception is not granted then the fix will be moved to a bug patch on the current apparmor 4.0.0-alpha4 Atm the fix is available via ppa https://launchpad.net/~apparmor- dev/+archive/ubuntu/apparmor-ffe -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056517 Title: vsode profile still broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
** Description changed: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below Ran 62 tests in 811.542s OK (skipped=3) - apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Reboot tests have been done, as well as booting in - to different kernel versions. -6.8.0-11-generic #11-Ubuntu -6.5.0-14-generic #14-Ubuntu -6.7.0 (custom build) -6.8-rc3 (custom build) + apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Boot/Reboot and regression tests have been done, against + different kernel versions. + 6.8.0-11-generic #11-Ubuntu + 6.5.0-14-generic #14-Ubuntu + 6.7.0 (upstream custom build) + 6.8-rc3 (upstream custom build) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
** Description changed: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) - - This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d - + This proposed change has been tested via the QA Regression Testing + project, in particular with the specific test added in + https://git.launchpad.net/qa-regression- + testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below - Ran 62 tests in 811.542s + Ran 62 tests in 811.542s - OK (skipped=3) + OK (skipped=3) + apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Reboot tests have been done, as well as booting in + to different kernel versions. +6.8.0-11-generic #11-Ubuntu +6.5.0-14-generic #14-Ubuntu +6.7.0 (custom build) +6.8-rc3 (custom build) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056496] [NEW] [FFe] AppArmor 4.0-beta2 + prompting support for noble
Public bug reported: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below Ran 62 tests in 811.542s OK (skipped=3) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
Captured output of QRT test run on updated noble using Linux 6.8.0-11-generic #11-Ubuntu kernel and 4.0.0~beta2-0ubuntu3 ** Attachment added: "Captured output of QRT test run" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+attachment/5753923/+files/qrt.output -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@scarlet I think it is fair to mark these as Fixed released as they are part of apparmor-alpha4 that is in noble. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
This is part of the apparmor alpha4 release in noble ** Changed in: plasma-desktop (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
This is part of the alpha4 release in noble ** Changed in: kdeplasma-addons (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2055402] Re: Though lintian call: error: troff: Segmentation fault
So the answer, is most likely not great atm. Option 1: unconfined If you are coming from an unconfined bash/lintian then object delegation will take care of this for you (more on that below). However since you are seeing file_inherit messages that isn't the case. And you would need to change confinement such that bash/lintian is unconfined for this option to work atm. Option 2: confined In this case you are currently limited to AppArmor acting as an ambient authority system, which basic means every confinement domain (profile) needs to enumerate all available accesses. As proposed by Loïc in comment #2 if you don't want to give man read access to the entire system you need to teach lintian to write to a specific location that is shared by both profiles. We do have 2 improvements that are in progress that are NOT currently available, but we should start planning for them from an interface perspective for snap. Both of the following features will require a new apparmor userspace (not a problem as snap vendors apparmor) and a newer kernel. I. Controlled Object Delegation (hopefully 24.10 time frame) this is available today, via unconfined. Unconfined allows delegating its objects to any confined application. Unfortunately this currently is not available to confined applications. With controlled delegation, you add a rule to the source's profile (eg. lintian) that specifies which files open (fd objects) can be delegated to who (target profile eg. man). The target profile (man) will the access that descriptor under the source's (lintian's) authority. If a target tries to pass the descriptor off via SCM/dbus etc or inheritance, the descriptor will get revalidated against the new target, and denied if there isn't a rule allowing it in the original source (lintian). II. object labeling - again not available today, nor as good a fit for this situation. It is also further out than object delegation from landing. - this solution limits target location fstype - this solution only works if the source is creating or modifying the file or the files type, and may cause revocation of the file to other applications, even if not sharing a file descriptor - requires rules in both profiles, however they can be more abstract (even excluding location entirely) than the solution required today. The source (lintian/bash) marks the file being passed by setting its object label. The target (man) must have access to the object type that the file is tagged with via a rule in its profile. The object can then be passed/inherited and the inheritance check will let it through. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2055402 Title: Though lintian call: error: troff: Segmentation fault To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lintian/+bug/2055402/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
@rikka0w0 are you willing to test a kernel patch for this issue? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
Yes, unfortunately the network work was deferred, its still a wip but is not scheduled as a work item for the cycle. With that said we still hope to get this fixed, I just can't promise it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@georgiag we could move the abstraction include to "include if exists" to take care of the depends. Generally speaking evince shouldn't depend on apparmor, but of course make use of it if it is available. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
@maciek-borzecki the parser can change its behavior based on a few things. 1. the kernel its built against. This would not change behavior when run in a container vs at system level. 2. If a feature-file is specified, via --features-file, --policy- features, or --kernel-features. This allows overriding the normal policy and kernel examination that the parser does when compiling policy. 3. If /sys/kernel/security/apparmor/features is not available. The parser will fallback to an old set of features available in a kernel before the kernel module started exporting what the kernel module supports on the running kernel. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964636 Title: Incorrect handling of apparmor `bpf` capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1964636/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
""" Warning from stdin (line 1): apparmor_parser: Warning capping number of jobs to 0 * # of cpus == '16' """ Does not cause any change in return codes. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964636 Title: Incorrect handling of apparmor `bpf` capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1964636/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
@cascardo that sysctl does indeed change when/if bpf_capable() is called, so a possibility to explore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964636 Title: Incorrect handling of apparmor `bpf` capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1964636/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
@stgraber while I know snapd currently isn't vendoring the apparmor_parser, is the LXD snap vendoring apparmor? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964636 Title: Incorrect handling of apparmor `bpf` capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1964636/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
This is failing because the apparmor_parser before the 3.0 release would build its capability list from the installed kernel headers. The apparmor_parser here was built against a kernel without support for cap 'bpf' root@priv:~# apparmor_parser -V AppArmor parser version 2.13.3 Copyright (C) 1999-2008 Novell Inc. Copyright 2009-2018 Canonical Ltd. This was fixed in 3.0 by having a static caps list (with full mapping info) and the dynamic auto-generated list (against the kernel headers) that is used to check that the static list has not become stale. In addition the parser can pull kernel supported caps straight from the apparmor kernel module (it will however be missing the mapping info). To fix similar issues upstream a limited version of the 3.0 fix was backported to 2.13. And release in 2.13.5. Ideally we would pull 2.13.6 in but at a minimum we need to pick 726c3fc1 parser: Make sure apparmor can build on old kernels 3f8cfac3 parser/Makefile: fix generated cap comparison against known list ad45b807 parser: add CAP_BPF/PERFMON; convert to pregenerated cap list cd4a1613 Add CAP_BPF and CAP_PERFMON to severity.db 60007d3f parser: Add warning to capability_table about the need to update the Makefile ef8d5141 parser/Makefile: use LC_ALL=C when invoking sed 4e194b2f parser: unify capability name handling ed61e482 parser: cleanup capability_table generation by dropping cap sys_log efb6952e parser: Move to a pre-generated cap_names.h Now for the bits I didn't quite figure out: - Why does snapd think that the parser supports `bpf` when it in fact doesn't? My guess is that its checking the kernel for support of bpf and not the parser. - Why does this only seem to hit with `distrobuilder`, testing with `hello-world` doesn't hit this issue though we've seen similar behavior from the `go` snap, is it a bug that only triggers on classic snaps? my guess is that it will depend on what connections (plugs) are used. Classic snaps in general shouldn't trigger this because they are run unconfined, but LXD triggers it because it has its own profile. Only snaps that plug a connection that requires bpf would trigger this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964636 Title: Incorrect handling of apparmor `bpf` capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1964636/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
sorry, I was confused a bit about the issue. I have no objection to uploading the diff from #7. Still while the patch makes the immediate mctp issue go away from the current tests it isn't a full fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
"To unblock kernel development we need apparmor to never fail ADT testing in devel series, as new kernel is developed. We do not want to hint to ignore it, because we must never regress apparmor." unfortunately this is just not possible with the way kernel development works. The addition of new "features" will break apparmor if there is any support in the kernel for it as apparmor is default deny. There are also other reasons kernel changes may result in test failures. The only way to never block would be to ignore failures on the devel series, but as you noted we don't want to regress either. Its a tough situation, I don't have a good solution. "Is it ok to upload the debdiff from #7 right away? Because this bug cannot wait for new upstream release of apparmor getting integrated in Ubuntu and migrating. 3 days for test-suite only fixes is too long." Unfortunately it is NOT just a test suite issue. This requires an update to the the policy compiler. @alexmurray is currently planning to upload the latest version tomorrow (his tomorrow, which is in just a few hours), but as you note it will then take time to migrate. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
I should note that mctp is NOT part of the abi change in 3.0.4. This means by default mctp mediation will not be enforced by policy. It will be accepted in rules if present but since policy was not developed with mctp in mind, turning it on by default for the policy would be an abi break and could cause some applications to fail unexpectedly. To have mctp mediation enforced it needs to be added to the abi file. Or profiles that should have it enforced need to change their abi file to one that supports mctp. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
@arighi: mctp is already supported in the 3.0.4 release that @alexmurray is working on merging -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1377338] Re: apparmor may fail to load some profiles if one is corrupted
It should be fixed as of the AppArmor 3.0 release. With 3.0 the handling of jobs doesn't stop with an error unless --abort-on-error is specified. Instead the parser will keep track of the last error and return that there was an error, but it will keep processing the rest of the jobs. We did not close this for 3.0 as we wanted more time, to make sure we have it fixed. But we are considering it fixed on the dev branch. Though christian did turn up another corner case the other day https://gitlab.com/apparmor/apparmor/-/issues/215 that we need to finish fixing. ** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #215 https://gitlab.com/apparmor/apparmor/-/issues/215 ** Changed in: apparmor Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1377338 Title: apparmor may fail to load some profiles if one is corrupted To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1377338/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
