Thank you. I added a patch to remove the mount profile because that exposes a kernel bug in overlayfs cred handling which is still under investigation. The change is easier seen in the MR.
** Description changed: ## FFE ## This is a Feature Freeze Exception request for questing for the apparmor package: I'd like to add a new package called apparmor.d which contains over 1500 profiles from the upstream project apparmor.d [1] These profiles will be added in "complain" mode, which means that for a given action, if the profile rules do not grant permission the action will be allowed, but the violation will be logged with a tag of the access being ALLOWED. This is done because we want to test these profiles and enable others to test and add new rules to eventually improve the profiles. By adding these profiles in a new package which is not installed by default, regular users will not be affected. But users that would like to test and contribute to the profiles can install it. We want to add these profiles, even in complain mode, as a new package (and not part of the apparmor package) because labeling certain binaries could cause issues with existing policy, specially those that use "peer". Additionally, the large amount of profiles do take a while to compile by the parser in the first boot. After that, a cached version of the profiles can be loaded directly into the kernel by the parser which takes considerably less time. Note again that apparmor.d will not be installed by default, so this will only affect users that choose to install it. The benefits of this change is the ability to increase the amount of testing for these profiles, which will then enable us to eventually ship them in enforce mode. More profiles means more confined applications, which could lead to higher security. This is the first step towards that. This is the PPA containing a built version of apparmor: - https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor/ + https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor2/ - This is the installation logs: - georgia@sec2-questing-amd64:~$ sudo apt install apparmor.d --allow-unauthenticated - Upgrading: + These are the installation logs: + georgia@sec2-questing-amd64:~$ sudo apt install apparmor.d --allow-unauthenticated + The following packages were automatically installed and are no longer required: + apg libllvm19 linux-headers-6.15.0-3-generic xbitmaps + cpp-14 libopengl0 linux-modules-6.15.0-3-generic xinit + cpp-14-x86-64-linux-gnu libsframe1 linux-tools-6.15.0-3 xorg + gcc-14-base libxcb-damage0 linux-tools-6.15.0-3-generic + libclang1-19 libxkbcommon-x11-0 x11-apps + libglu1-mesa linux-headers-6.15.0-3 x11-session-utils + Use 'sudo apt autoremove' to remove them. + + Upgrading: apparmor Installing: apparmor.d Installing dependencies: apparmor-profiles Summary: - Upgrading: 1, Installing: 2, Removing: 0, Not Upgrading: 16 - Download size: 1,161 kB - Space needed: 3,839 kB / 8,623 MB available + Upgrading: 1, Installing: 2, Removing: 0, Not Upgrading: 45 + Download size: 1,160 kB + Space needed: 3,837 kB / 7,954 MB available Continue? [Y/n] WARNING: The following packages cannot be authenticated! apparmor apparmor-profiles apparmor.d Authentication warning overridden. Get:1 http://192.168.122.1/debs/testing questing/ apparmor 5.0.0~alpha1-0ubuntu5 [862 kB] Get:2 http://192.168.122.1/debs/testing questing/ apparmor-profiles 5.0.0~alpha1-0ubuntu5 [42.6 kB] Get:3 http://192.168.122.1/debs/testing questing/ apparmor.d 5.0.0~alpha1-0ubuntu5 [256 kB] - Fetched 1,161 kB in 0s (23.8 MB/s) + Fetched 1,160 kB in 0s (20.1 MB/s) Preconfiguring packages ... - (Reading database ... 185825 files and directories currently installed.) + (Reading database ... 225552 files and directories currently installed.) Preparing to unpack .../apparmor_5.0.0~alpha1-0ubuntu5_amd64.deb ... Unpacking apparmor (5.0.0~alpha1-0ubuntu5) over (5.0.0~alpha1-0ubuntu4) ... Selecting previously unselected package apparmor-profiles. Preparing to unpack .../apparmor-profiles_5.0.0~alpha1-0ubuntu5_all.deb ... Unpacking apparmor-profiles (5.0.0~alpha1-0ubuntu5) ... Selecting previously unselected package apparmor.d. Preparing to unpack .../apparmor.d_5.0.0~alpha1-0ubuntu5_amd64.deb ... Unpacking apparmor.d (5.0.0~alpha1-0ubuntu5) ... Setting up apparmor (5.0.0~alpha1-0ubuntu5) ... Installing new version of config file /etc/apparmor.d/hostname ... Installing new version of config file /etc/apparmor.d/wg ... Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: brave Skipping profile in /etc/apparmor.d/disable: chrome Skipping profile in /etc/apparmor.d/disable: chromium Skipping profile in /etc/apparmor.d/disable: dig Skipping profile in /etc/apparmor.d/disable: element-desktop Skipping profile in /etc/apparmor.d/disable: epiphany Skipping profile in /etc/apparmor.d/disable: firefox Skipping profile in /etc/apparmor.d/disable: flatpak Skipping profile in /etc/apparmor.d/disable: foliate Skipping profile in /etc/apparmor.d/disable: free Skipping profile in /etc/apparmor.d/disable: fusermount3 Skipping profile in /etc/apparmor.d/disable: hostname Skipping profile in /etc/apparmor.d/disable: locale Skipping profile in /etc/apparmor.d/disable: loupe Skipping profile in /etc/apparmor.d/disable: lsblk Skipping profile in /etc/apparmor.d/disable: lsusb Skipping profile in /etc/apparmor.d/disable: msedge Skipping profile in /etc/apparmor.d/disable: nslookup Skipping profile in /etc/apparmor.d/disable: openvpn Skipping profile in /etc/apparmor.d/disable: opera Skipping profile in /etc/apparmor.d/disable: os-prober Skipping profile in /etc/apparmor.d/disable: plasmashell Skipping profile in /etc/apparmor.d/disable: signal-desktop Skipping profile in /etc/apparmor.d/disable: slirp4netns Skipping profile in /etc/apparmor.d/disable: steam Skipping profile in /etc/apparmor.d/disable: systemd-coredump Skipping profile in /etc/apparmor.d/disable: systemd-detect-virt Skipping profile in /etc/apparmor.d/disable: thunderbird Skipping profile in /etc/apparmor.d/disable: transmission Skipping profile in /etc/apparmor.d/disable: unix-chkpwd Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching disabled for: 'u sr.sbin.sssd' due to force complain Skipping profile in /etc/apparmor.d/disable: virtiofsd Skipping profile in /etc/apparmor.d/disable: wg-quick Skipping profile in /etc/apparmor.d/disable: who Setting up apparmor-profiles (5.0.0~alpha1-0ubuntu5) ... Setting up apparmor.d (5.0.0~alpha1-0ubuntu5) ... Processing triggers for systemd (257.7-1ubuntu3) ... Processing triggers for man-db (2.13.1-1) ... Processing triggers for procps (2:4.0.4-8ubuntu2) ... + georgia@sec2-questing-amd64:~$ systemctl status apparmor \u25cf apparmor.service - Load AppArmor profiles Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: enabled) - Active: active (exited) since Mon 2025-08-25 16:47:52 -03; 12min ago - Invocation: 7bd560e664334a099f09646e3464391c + Active: active (exited) since Wed 2025-08-27 14:02:26 -03; 6min ago + Invocation: 99a9f158dddb41e195b8047ee23cc015 Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ - Process: 5241 ExecReload=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) - Main PID: 535 (code=exited, status=0/SUCCESS) - Mem peak: 236.1M - CPU: 5min 17.583s + Process: 5054 ExecReload=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUC> + Main PID: 529 (code=exited, status=0/SUCCESS) + Mem peak: 233.4M + CPU: 7min 24.075s - Aug 25 16:58:05 sec2-questing-amd64 apparmor.systemd[6613]: Skipping profile in /etc/apparmor.d/disable: systemd-detect-virt - Aug 25 16:58:10 sec2-questing-amd64 apparmor.systemd[6715]: Skipping profile in /etc/apparmor.d/disable: thunderbird - Aug 25 16:58:15 sec2-questing-amd64 apparmor.systemd[6743]: Skipping profile in /etc/apparmor.d/disable: transmission - Aug 25 16:58:18 sec2-questing-amd64 apparmor.systemd[6788]: Skipping profile in /etc/apparmor.d/disable: unix-chkpwd - Aug 25 16:58:21 sec2-questing-amd64 apparmor.systemd[6852]: Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode - Aug 25 16:58:21 sec2-questing-amd64 apparmor.systemd[6852]: Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching disabled for: 'usr.sbin.sssd' due to force co> - Aug 25 16:58:26 sec2-questing-amd64 apparmor.systemd[6871]: Skipping profile in /etc/apparmor.d/disable: virtiofsd - Aug 25 16:58:30 sec2-questing-amd64 apparmor.systemd[6899]: Skipping profile in /etc/apparmor.d/disable: wg-quick - Aug 25 16:58:31 sec2-questing-amd64 apparmor.systemd[6906]: Skipping profile in /etc/apparmor.d/disable: who - Aug 25 16:58:40 sec2-questing-amd64 systemd[1]: Reloaded apparmor.service - Load AppArmor profiles. - + Aug 27 14:07:21 sec2-questing-amd64 apparmor.systemd[6511]: Skipping profile in /etc/apparmor> + Aug 27 14:07:28 sec2-questing-amd64 apparmor.systemd[6640]: Skipping profile in /etc/apparmor> + Aug 27 14:07:37 sec2-questing-amd64 apparmor.systemd[6670]: Skipping profile in /etc/apparmor> + Aug 27 14:07:43 sec2-questing-amd64 apparmor.systemd[6715]: Skipping profile in /etc/apparmor> + Aug 27 14:07:47 sec2-questing-amd64 apparmor.systemd[6779]: Warning: found usr.sbin.sssd in /> + Aug 27 14:07:47 sec2-questing-amd64 apparmor.systemd[6779]: Warning from /etc/apparmor.d (/et> + Aug 27 14:07:55 sec2-questing-amd64 apparmor.systemd[6798]: Skipping profile in /etc/apparmor> + Aug 27 14:08:04 sec2-questing-amd64 apparmor.systemd[6830]: Skipping profile in /etc/apparmor> + Aug 27 14:08:04 sec2-questing-amd64 apparmor.systemd[6837]: Skipping profile in /etc/apparmor> + Aug 27 14:08:21 sec2-questing-amd64 systemd[1]: Reloaded apparmor.service - Load AppArmor pro> For testing, I ran the QA Regression Tests [2]: Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, first install the apparmor.d package introduced in this FFE, then copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package The result was: - FAILED: disconnected_mount_complain overlayfs_kernel socketpair + FAILED: disconnected_mount_complain socketpair make: *** [Makefile:487: alltests] Error 1 + ---------------------------------------------------------------------- - Ran 62 tests in 3903.620s + Ran 62 tests in 5035.702s FAILED (failures=1, skipped=4) Note that these failures are not related to the apparmor.d package and are also reproducible with apparmor version 5.0.0~alpha1-0ubuntu4 from the archive. [1] https://github.com/roddhjav/apparmor.d [2] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2121409 Title: [FFE] add a new apparmor.d package containing several apparmor profiles Status in apparmor package in Ubuntu: Triaged Bug description: ## FFE ## This is a Feature Freeze Exception request for questing for the apparmor package: I'd like to add a new package called apparmor.d which contains over 1500 profiles from the upstream project apparmor.d [1] These profiles will be added in "complain" mode, which means that for a given action, if the profile rules do not grant permission the action will be allowed, but the violation will be logged with a tag of the access being ALLOWED. This is done because we want to test these profiles and enable others to test and add new rules to eventually improve the profiles. By adding these profiles in a new package which is not installed by default, regular users will not be affected. But users that would like to test and contribute to the profiles can install it. We want to add these profiles, even in complain mode, as a new package (and not part of the apparmor package) because labeling certain binaries could cause issues with existing policy, specially those that use "peer". Additionally, the large amount of profiles do take a while to compile by the parser in the first boot. After that, a cached version of the profiles can be loaded directly into the kernel by the parser which takes considerably less time. Note again that apparmor.d will not be installed by default, so this will only affect users that choose to install it. The benefits of this change is the ability to increase the amount of testing for these profiles, which will then enable us to eventually ship them in enforce mode. More profiles means more confined applications, which could lead to higher security. This is the first step towards that. This is the PPA containing a built version of apparmor: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor2/ These are the installation logs: georgia@sec2-questing-amd64:~$ sudo apt install apparmor.d --allow-unauthenticated The following packages were automatically installed and are no longer required: apg libllvm19 linux-headers-6.15.0-3-generic xbitmaps cpp-14 libopengl0 linux-modules-6.15.0-3-generic xinit cpp-14-x86-64-linux-gnu libsframe1 linux-tools-6.15.0-3 xorg gcc-14-base libxcb-damage0 linux-tools-6.15.0-3-generic libclang1-19 libxkbcommon-x11-0 x11-apps libglu1-mesa linux-headers-6.15.0-3 x11-session-utils Use 'sudo apt autoremove' to remove them. Upgrading: apparmor Installing: apparmor.d Installing dependencies: apparmor-profiles Summary: Upgrading: 1, Installing: 2, Removing: 0, Not Upgrading: 45 Download size: 1,160 kB Space needed: 3,837 kB / 7,954 MB available Continue? [Y/n] WARNING: The following packages cannot be authenticated! apparmor apparmor-profiles apparmor.d Authentication warning overridden. Get:1 http://192.168.122.1/debs/testing questing/ apparmor 5.0.0~alpha1-0ubuntu5 [862 kB] Get:2 http://192.168.122.1/debs/testing questing/ apparmor-profiles 5.0.0~alpha1-0ubuntu5 [42.6 kB] Get:3 http://192.168.122.1/debs/testing questing/ apparmor.d 5.0.0~alpha1-0ubuntu5 [256 kB] Fetched 1,160 kB in 0s (20.1 MB/s) Preconfiguring packages ... (Reading database ... 225552 files and directories currently installed.) Preparing to unpack .../apparmor_5.0.0~alpha1-0ubuntu5_amd64.deb ... Unpacking apparmor (5.0.0~alpha1-0ubuntu5) over (5.0.0~alpha1-0ubuntu4) ... Selecting previously unselected package apparmor-profiles. Preparing to unpack .../apparmor-profiles_5.0.0~alpha1-0ubuntu5_all.deb ... Unpacking apparmor-profiles (5.0.0~alpha1-0ubuntu5) ... Selecting previously unselected package apparmor.d. Preparing to unpack .../apparmor.d_5.0.0~alpha1-0ubuntu5_amd64.deb ... Unpacking apparmor.d (5.0.0~alpha1-0ubuntu5) ... Setting up apparmor (5.0.0~alpha1-0ubuntu5) ... Installing new version of config file /etc/apparmor.d/hostname ... Installing new version of config file /etc/apparmor.d/wg ... Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: brave Skipping profile in /etc/apparmor.d/disable: chrome Skipping profile in /etc/apparmor.d/disable: chromium Skipping profile in /etc/apparmor.d/disable: dig Skipping profile in /etc/apparmor.d/disable: element-desktop Skipping profile in /etc/apparmor.d/disable: epiphany Skipping profile in /etc/apparmor.d/disable: firefox Skipping profile in /etc/apparmor.d/disable: flatpak Skipping profile in /etc/apparmor.d/disable: foliate Skipping profile in /etc/apparmor.d/disable: free Skipping profile in /etc/apparmor.d/disable: fusermount3 Skipping profile in /etc/apparmor.d/disable: hostname Skipping profile in /etc/apparmor.d/disable: locale Skipping profile in /etc/apparmor.d/disable: loupe Skipping profile in /etc/apparmor.d/disable: lsblk Skipping profile in /etc/apparmor.d/disable: lsusb Skipping profile in /etc/apparmor.d/disable: msedge Skipping profile in /etc/apparmor.d/disable: nslookup Skipping profile in /etc/apparmor.d/disable: openvpn Skipping profile in /etc/apparmor.d/disable: opera Skipping profile in /etc/apparmor.d/disable: os-prober Skipping profile in /etc/apparmor.d/disable: plasmashell Skipping profile in /etc/apparmor.d/disable: signal-desktop Skipping profile in /etc/apparmor.d/disable: slirp4netns Skipping profile in /etc/apparmor.d/disable: steam Skipping profile in /etc/apparmor.d/disable: systemd-coredump Skipping profile in /etc/apparmor.d/disable: systemd-detect-virt Skipping profile in /etc/apparmor.d/disable: thunderbird Skipping profile in /etc/apparmor.d/disable: transmission Skipping profile in /etc/apparmor.d/disable: unix-chkpwd Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching disabled for: 'u sr.sbin.sssd' due to force complain Skipping profile in /etc/apparmor.d/disable: virtiofsd Skipping profile in /etc/apparmor.d/disable: wg-quick Skipping profile in /etc/apparmor.d/disable: who Setting up apparmor-profiles (5.0.0~alpha1-0ubuntu5) ... Setting up apparmor.d (5.0.0~alpha1-0ubuntu5) ... Processing triggers for systemd (257.7-1ubuntu3) ... Processing triggers for man-db (2.13.1-1) ... Processing triggers for procps (2:4.0.4-8ubuntu2) ... georgia@sec2-questing-amd64:~$ systemctl status apparmor \u25cf apparmor.service - Load AppArmor profiles Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: enabled) Active: active (exited) since Wed 2025-08-27 14:02:26 -03; 6min ago Invocation: 99a9f158dddb41e195b8047ee23cc015 Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 5054 ExecReload=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUC> Main PID: 529 (code=exited, status=0/SUCCESS) Mem peak: 233.4M CPU: 7min 24.075s Aug 27 14:07:21 sec2-questing-amd64 apparmor.systemd[6511]: Skipping profile in /etc/apparmor> Aug 27 14:07:28 sec2-questing-amd64 apparmor.systemd[6640]: Skipping profile in /etc/apparmor> Aug 27 14:07:37 sec2-questing-amd64 apparmor.systemd[6670]: Skipping profile in /etc/apparmor> Aug 27 14:07:43 sec2-questing-amd64 apparmor.systemd[6715]: Skipping profile in /etc/apparmor> Aug 27 14:07:47 sec2-questing-amd64 apparmor.systemd[6779]: Warning: found usr.sbin.sssd in /> Aug 27 14:07:47 sec2-questing-amd64 apparmor.systemd[6779]: Warning from /etc/apparmor.d (/et> Aug 27 14:07:55 sec2-questing-amd64 apparmor.systemd[6798]: Skipping profile in /etc/apparmor> Aug 27 14:08:04 sec2-questing-amd64 apparmor.systemd[6830]: Skipping profile in /etc/apparmor> Aug 27 14:08:04 sec2-questing-amd64 apparmor.systemd[6837]: Skipping profile in /etc/apparmor> Aug 27 14:08:21 sec2-questing-amd64 systemd[1]: Reloaded apparmor.service - Load AppArmor pro> For testing, I ran the QA Regression Tests [2]: Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, first install the apparmor.d package introduced in this FFE, then copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package The result was: FAILED: disconnected_mount_complain socketpair make: *** [Makefile:487: alltests] Error 1 ---------------------------------------------------------------------- Ran 62 tests in 5035.702s FAILED (failures=1, skipped=4) Note that these failures are not related to the apparmor.d package and are also reproducible with apparmor version 5.0.0~alpha1-0ubuntu4 from the archive. [1] https://github.com/roddhjav/apparmor.d [2] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2121409/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
