So what I think is going on from a first pass look at this is that We are seeing a change in kernel behavior around exec. The 6.8 has a known change here, that doesn't normally trigger because unconfined is delegating access into the profile. However in the lxd case, unconfined can is not delegating access it the profile needs access to the application.
the accompanying patch should fix the issue, and does not actually grant anymore permission that was already required, it was just being delegated in by unconfined. ** Patch added: "apparmor-add-execmap.patch" https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5758964/+files/apparmor-add-execmap.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 Status in apparmor package in Ubuntu: New Status in cups-browsed package in Ubuntu: New Bug description: cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected via an autopkgtest), early enough that LD_DEBUG=all gives no output. A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the executable ran, so 8 was uploaded to try to fix this. But the executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups- browsed and segfaults when invoked as /usr/sbin/cups-browsed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp