[Touch-packages] [Bug 2121409] Re: [FFE] add a new apparmor.d package containing several apparmor profiles

Wed, 27 Aug 2025 07:20:57 -0700 

hi! thank you for the detailed FFe - this looks good. FFe approved.
Please go ahead with the upload and make sure to see through the
migration - that'd also require tests to pass. :)

** Changed in: apparmor (Ubuntu)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2121409

Title:
  [FFE] add a new apparmor.d package containing several apparmor
  profiles

Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  ## FFE ##

  This is a Feature Freeze Exception request for questing for the
  apparmor package:

  I'd like to add a new package called apparmor.d which contains over
  1500 profiles from the upstream project apparmor.d [1]

  These profiles will be added in "complain" mode, which means that for
  a given action, if the profile rules do not grant permission the
  action will be allowed, but the violation will be logged with a tag of
  the access being ALLOWED. This is done because we want to test these
  profiles and enable others to test and add new rules to eventually
  improve the profiles.

  By adding these profiles in a new package which is not installed by
  default, regular users will not be affected. But users that would like
  to test and contribute to the profiles can install it.

  We want to add these profiles, even in complain mode, as a new package
  (and not part of the apparmor package) because labeling certain
  binaries could cause issues with existing policy, specially those that
  use "peer". Additionally, the large amount of profiles do take a while
  to compile by the parser in the first boot. After that, a cached
  version of the profiles can be loaded directly into the kernel by the
  parser which takes considerably less time. Note again that apparmor.d
  will not be installed by default, so this will only affect users that
  choose to install it.

  The benefits of this change is the ability to increase the amount of
  testing for these profiles, which will then enable us to eventually
  ship them in enforce mode. More profiles means more confined
  applications, which could lead to higher security. This is the first
  step towards that.

  This is the PPA containing a built version of apparmor:

  https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor/

  This is the installation logs:
  georgia@sec2-questing-amd64:~$ sudo apt install apparmor.d 
--allow-unauthenticated 
  Upgrading:                      
    apparmor

  Installing:
    apparmor.d

  Installing dependencies:
    apparmor-profiles

  Summary:
    Upgrading: 1, Installing: 2, Removing: 0, Not Upgrading: 16
    Download size: 1,161 kB
    Space needed: 3,839 kB / 8,623 MB available

  Continue? [Y/n] 
  WARNING: The following packages cannot be authenticated!
    apparmor  apparmor-profiles  apparmor.d

  Authentication warning overridden.
  Get:1 http://192.168.122.1/debs/testing questing/ apparmor 
5.0.0~alpha1-0ubuntu5 [862 kB]
  Get:2 http://192.168.122.1/debs/testing questing/ apparmor-profiles 
5.0.0~alpha1-0ubuntu5 [42.6 kB]
  Get:3 http://192.168.122.1/debs/testing questing/ apparmor.d 
5.0.0~alpha1-0ubuntu5 [256 kB]
  Fetched 1,161 kB in 0s (23.8 MB/s)
  Preconfiguring packages ...
  (Reading database ... 185825 files and directories currently installed.)
  Preparing to unpack .../apparmor_5.0.0~alpha1-0ubuntu5_amd64.deb ...
  Unpacking apparmor (5.0.0~alpha1-0ubuntu5) over (5.0.0~alpha1-0ubuntu4) ...
  Selecting previously unselected package apparmor-profiles.
  Preparing to unpack .../apparmor-profiles_5.0.0~alpha1-0ubuntu5_all.deb ...
  Unpacking apparmor-profiles (5.0.0~alpha1-0ubuntu5) ...
  Selecting previously unselected package apparmor.d.
  Preparing to unpack .../apparmor.d_5.0.0~alpha1-0ubuntu5_amd64.deb ...
  Unpacking apparmor.d (5.0.0~alpha1-0ubuntu5) ...
  Setting up apparmor (5.0.0~alpha1-0ubuntu5) ...
  Installing new version of config file /etc/apparmor.d/hostname ...
  Installing new version of config file /etc/apparmor.d/wg ...
  Reloading AppArmor profiles 
  Skipping profile in /etc/apparmor.d/disable: brave
  Skipping profile in /etc/apparmor.d/disable: chrome
  Skipping profile in /etc/apparmor.d/disable: chromium
  Skipping profile in /etc/apparmor.d/disable: dig
  Skipping profile in /etc/apparmor.d/disable: element-desktop
  Skipping profile in /etc/apparmor.d/disable: epiphany
  Skipping profile in /etc/apparmor.d/disable: firefox
  Skipping profile in /etc/apparmor.d/disable: flatpak
  Skipping profile in /etc/apparmor.d/disable: foliate
  Skipping profile in /etc/apparmor.d/disable: free
  Skipping profile in /etc/apparmor.d/disable: fusermount3
  Skipping profile in /etc/apparmor.d/disable: hostname
  Skipping profile in /etc/apparmor.d/disable: locale
  Skipping profile in /etc/apparmor.d/disable: loupe
  Skipping profile in /etc/apparmor.d/disable: lsblk
  Skipping profile in /etc/apparmor.d/disable: lsusb
  Skipping profile in /etc/apparmor.d/disable: msedge
  Skipping profile in /etc/apparmor.d/disable: nslookup
  Skipping profile in /etc/apparmor.d/disable: openvpn
  Skipping profile in /etc/apparmor.d/disable: opera
  Skipping profile in /etc/apparmor.d/disable: os-prober
  Skipping profile in /etc/apparmor.d/disable: plasmashell
  Skipping profile in /etc/apparmor.d/disable: signal-desktop
  Skipping profile in /etc/apparmor.d/disable: slirp4netns
  Skipping profile in /etc/apparmor.d/disable: steam
  Skipping profile in /etc/apparmor.d/disable: systemd-coredump
  Skipping profile in /etc/apparmor.d/disable: systemd-detect-virt
  Skipping profile in /etc/apparmor.d/disable: thunderbird
  Skipping profile in /etc/apparmor.d/disable: transmission
  Skipping profile in /etc/apparmor.d/disable: unix-chkpwd
  Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing 
complain mode
  Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching 
disabled for: 'u
  sr.sbin.sssd' due to force complain
  Skipping profile in /etc/apparmor.d/disable: virtiofsd
  Skipping profile in /etc/apparmor.d/disable: wg-quick
  Skipping profile in /etc/apparmor.d/disable: who
  Setting up apparmor-profiles (5.0.0~alpha1-0ubuntu5) ...
  Setting up apparmor.d (5.0.0~alpha1-0ubuntu5) ...
  Processing triggers for systemd (257.7-1ubuntu3) ...
  Processing triggers for man-db (2.13.1-1) ...
  Processing triggers for procps (2:4.0.4-8ubuntu2) ...
  georgia@sec2-questing-amd64:~$ systemctl status apparmor
  \u25cf apparmor.service - Load AppArmor profiles
       Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; 
preset: enabled)
       Active: active (exited) since Mon 2025-08-25 16:47:52 -03; 12min ago
   Invocation: 7bd560e664334a099f09646e3464391c
         Docs: man:apparmor(7)
               https://gitlab.com/apparmor/apparmor/wikis/home/
      Process: 5241 ExecReload=/lib/apparmor/apparmor.systemd reload 
(code=exited, status=0/SUCCESS)
     Main PID: 535 (code=exited, status=0/SUCCESS)
     Mem peak: 236.1M
          CPU: 5min 17.583s

  Aug 25 16:58:05 sec2-questing-amd64 apparmor.systemd[6613]: Skipping profile 
in /etc/apparmor.d/disable: systemd-detect-virt
  Aug 25 16:58:10 sec2-questing-amd64 apparmor.systemd[6715]: Skipping profile 
in /etc/apparmor.d/disable: thunderbird
  Aug 25 16:58:15 sec2-questing-amd64 apparmor.systemd[6743]: Skipping profile 
in /etc/apparmor.d/disable: transmission
  Aug 25 16:58:18 sec2-questing-amd64 apparmor.systemd[6788]: Skipping profile 
in /etc/apparmor.d/disable: unix-chkpwd
  Aug 25 16:58:21 sec2-questing-amd64 apparmor.systemd[6852]: Warning: found 
usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
  Aug 25 16:58:21 sec2-questing-amd64 apparmor.systemd[6852]: Warning from 
/etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching disabled for: 
'usr.sbin.sssd' due to force co>
  Aug 25 16:58:26 sec2-questing-amd64 apparmor.systemd[6871]: Skipping profile 
in /etc/apparmor.d/disable: virtiofsd
  Aug 25 16:58:30 sec2-questing-amd64 apparmor.systemd[6899]: Skipping profile 
in /etc/apparmor.d/disable: wg-quick
  Aug 25 16:58:31 sec2-questing-amd64 apparmor.systemd[6906]: Skipping profile 
in /etc/apparmor.d/disable: who
  Aug 25 16:58:40 sec2-questing-amd64 systemd[1]: Reloaded apparmor.service - 
Load AppArmor profiles.


  For testing, I ran the QA Regression Tests [2]:

  Steps:
  $ git clone https://git.launchpad.net/qa-regression-testing
  $ ./scripts/make-test-tarball ./scripts/test-apparmor.py
  Copying: test-apparmor.py
  Copying: testlib.py
  Copying: install-packages
  Copying: packages-helper
  Copying: apparmor/

  Test files: /tmp/qrt-test-apparmor.tar.gz

  To run, first install the apparmor.d package introduced in this FFE, then 
copy the tarball somewhere, then do:
  $ tar -zxf qrt-test-apparmor.tar.gz
  $ cd ./qrt-test-apparmor
  $ sudo ./install-packages test-apparmor.py
  $ ./test-apparmor.py -v

  This script runs various tests against the installed apparmor
  package

  The result was:

  FAILED: disconnected_mount_complain overlayfs_kernel socketpair
  make: *** [Makefile:487: alltests] Error 1

  ----------------------------------------------------------------------
  Ran 62 tests in 3903.620s

  FAILED (failures=1, skipped=4)

  Note that these failures are not related to the apparmor.d package and
  are also reproducible with apparmor version 5.0.0~alpha1-0ubuntu4 from
  the archive.

  [1] https://github.com/roddhjav/apparmor.d
  [2] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2121409/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to