Note that after this fix, snapd in containers needs to be at >= 2.62 for apparmor policy to load (snapd's snapd-apparmor needs the corresponding fix as this bug). This is currently in the candidate channel.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2060535 Title: apparmor's is_container_with_internal_policy() does not recognize incus Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Bionic: Triaged Status in apparmor source package in Focal: Triaged Status in apparmor source package in Jammy: Triaged Status in apparmor source package in Noble: Fix Released Bug description: apparmor is not loading for Ubuntu containers under incus. This is due to `/lib/apparmor/rc.apparmor.functions` (18.04 uses `/lib/apparmor/functions`): is_container_with_internal_policy() { # this function is sometimes called independently of # is_apparmor_loaded(), so also define this here. local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked" local ns_name_path="${SFS_MOUNTPOINT}/.ns_name" local ns_stacked local ns_name if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then return 1 fi read -r ns_stacked < "$ns_stacked_path" if [ "$ns_stacked" != "yes" ]; then return 1 fi # LXD and LXC set up AppArmor namespaces starting with "lxd-" and # "lxc-", respectively. Return non-zero for all other namespace # identifiers. read -r ns_name < "$ns_name_path" if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ [ "${ns_name#lxc-*}" = "$ns_name" ]; then return 1 fi return 0 } This can be fixed by adjusting it to have: # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-", # "lxc-", and "incus-" respectively. Return non-zero for all other namespace # identifiers. read -r ns_name < "$ns_name_path" if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ [ "${ns_name#lxc-*}" = "$ns_name" ] && \ [ "${ns_name#incus-*}" = "$ns_name" ] ; then return 1 fi References: * https://github.com/lxc/incus/issues/740 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060535/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp