We decided to move the apparmor.d profiles into its own source, to help with SRUs/uploads, since the apparmor package is part of the Ubuntu seed and any changes would require a respin of Ubuntu images.
For that, I updated the description again. Note that I'm still requesting a FFE for the apparmor package because we want to suggest apparmor.d when apparmor is installed, moving away from the currently unmaintained apparmor-profiles-extra. I also added a new MR for the apparmor package containing that information. The new source package apparmor.d is only available in the PPA in the description. ** Merge proposal unlinked: https://code.launchpad.net/~georgiag/ubuntu/+source/apparmor/+git/apparmor/+merge/491394 ** Description changed: ## FFE ## This is a Feature Freeze Exception request for questing for the apparmor - package: + package and for a new source package called apparmor.d: - I'd like to add a new package called apparmor.d which contains over 1500 - profiles from the upstream project apparmor.d [1] + I'd like to add a new source package called apparmor.d which contains + over 1500 profiles from the upstream project apparmor.d [1] These profiles will be added in "complain" mode, which means that for a given action, if the profile rules do not grant permission the action will be allowed, but the violation will be logged with a tag of the access being ALLOWED. This is done because we want to test these profiles and enable others to test and add new rules to eventually improve the profiles. By adding these profiles in a new package which is not installed by default, regular users will not be affected. But users that would like to test and contribute to the profiles can install it. We want to add these profiles, even in complain mode, as a new package (and not part of the apparmor package) because labeling certain binaries could cause issues with existing policy, specially those that use "peer". Additionally, the large amount of profiles do take a while to compile by the parser in the first boot. After that, a cached version of the profiles can be loaded directly into the kernel by the parser which takes considerably less time. Note again that apparmor.d will not be installed by default, so this will only affect users that choose to install it. The benefits of this change is the ability to increase the amount of testing for these profiles, which will then enable us to eventually ship them in enforce mode. More profiles means more confined applications, which could lead to higher security. This is the first step towards that. - This is the PPA containing a built version of apparmor: + This FFE also includes the apparmor package because we want to change + the suggestion from the apparmor-profiles-extra package, which is no + longer maintained and will be deprecated in the future, to the new + apparmor.d. - https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor2/ + This is the PPA containing a built version of apparmor and apparmor.d: + + https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor4/ These are the installation logs: georgia@sec2-questing-amd64:~$ sudo apt install apparmor.d --allow-unauthenticated - The following packages were automatically installed and are no longer required: - apg libllvm19 linux-headers-6.15.0-3-generic xbitmaps - cpp-14 libopengl0 linux-modules-6.15.0-3-generic xinit - cpp-14-x86-64-linux-gnu libsframe1 linux-tools-6.15.0-3 xorg - gcc-14-base libxcb-damage0 linux-tools-6.15.0-3-generic - libclang1-19 libxkbcommon-x11-0 x11-apps - libglu1-mesa linux-headers-6.15.0-3 x11-session-utils - Use 'sudo apt autoremove' to remove them. - - Upgrading: - apparmor - - Installing: - apparmor.d - - Installing dependencies: - apparmor-profiles - - Summary: - Upgrading: 1, Installing: 2, Removing: 0, Not Upgrading: 45 - Download size: 1,160 kB - Space needed: 3,837 kB / 7,954 MB available - - Continue? [Y/n] - WARNING: The following packages cannot be authenticated! - apparmor apparmor-profiles apparmor.d - - Authentication warning overridden. - Get:1 http://192.168.122.1/debs/testing questing/ apparmor 5.0.0~alpha1-0ubuntu5 [862 kB] - Get:2 http://192.168.122.1/debs/testing questing/ apparmor-profiles 5.0.0~alpha1-0ubuntu5 [42.6 kB] - Get:3 http://192.168.122.1/debs/testing questing/ apparmor.d 5.0.0~alpha1-0ubuntu5 [256 kB] - Fetched 1,160 kB in 0s (20.1 MB/s) - Preconfiguring packages ... - (Reading database ... 225552 files and directories currently installed.) - Preparing to unpack .../apparmor_5.0.0~alpha1-0ubuntu5_amd64.deb ... - Unpacking apparmor (5.0.0~alpha1-0ubuntu5) over (5.0.0~alpha1-0ubuntu4) ... - Selecting previously unselected package apparmor-profiles. - Preparing to unpack .../apparmor-profiles_5.0.0~alpha1-0ubuntu5_all.deb ... - Unpacking apparmor-profiles (5.0.0~alpha1-0ubuntu5) ... - Selecting previously unselected package apparmor.d. - Preparing to unpack .../apparmor.d_5.0.0~alpha1-0ubuntu5_amd64.deb ... - Unpacking apparmor.d (5.0.0~alpha1-0ubuntu5) ... - Setting up apparmor (5.0.0~alpha1-0ubuntu5) ... - Installing new version of config file /etc/apparmor.d/hostname ... - Installing new version of config file /etc/apparmor.d/wg ... - Reloading AppArmor profiles - Skipping profile in /etc/apparmor.d/disable: brave - Skipping profile in /etc/apparmor.d/disable: chrome - Skipping profile in /etc/apparmor.d/disable: chromium - Skipping profile in /etc/apparmor.d/disable: dig - Skipping profile in /etc/apparmor.d/disable: element-desktop - Skipping profile in /etc/apparmor.d/disable: epiphany - Skipping profile in /etc/apparmor.d/disable: firefox - Skipping profile in /etc/apparmor.d/disable: flatpak - Skipping profile in /etc/apparmor.d/disable: foliate - Skipping profile in /etc/apparmor.d/disable: free - Skipping profile in /etc/apparmor.d/disable: fusermount3 - Skipping profile in /etc/apparmor.d/disable: hostname - Skipping profile in /etc/apparmor.d/disable: locale - Skipping profile in /etc/apparmor.d/disable: loupe - Skipping profile in /etc/apparmor.d/disable: lsblk - Skipping profile in /etc/apparmor.d/disable: lsusb - Skipping profile in /etc/apparmor.d/disable: msedge - Skipping profile in /etc/apparmor.d/disable: nslookup - Skipping profile in /etc/apparmor.d/disable: openvpn - Skipping profile in /etc/apparmor.d/disable: opera - Skipping profile in /etc/apparmor.d/disable: os-prober - Skipping profile in /etc/apparmor.d/disable: plasmashell - Skipping profile in /etc/apparmor.d/disable: signal-desktop - Skipping profile in /etc/apparmor.d/disable: slirp4netns - Skipping profile in /etc/apparmor.d/disable: steam - Skipping profile in /etc/apparmor.d/disable: systemd-coredump - Skipping profile in /etc/apparmor.d/disable: systemd-detect-virt - Skipping profile in /etc/apparmor.d/disable: thunderbird - Skipping profile in /etc/apparmor.d/disable: transmission - Skipping profile in /etc/apparmor.d/disable: unix-chkpwd - Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode - Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching disabled for: 'u - sr.sbin.sssd' due to force complain - Skipping profile in /etc/apparmor.d/disable: virtiofsd - Skipping profile in /etc/apparmor.d/disable: wg-quick - Skipping profile in /etc/apparmor.d/disable: who - Setting up apparmor-profiles (5.0.0~alpha1-0ubuntu5) ... - Setting up apparmor.d (5.0.0~alpha1-0ubuntu5) ... - Processing triggers for systemd (257.7-1ubuntu3) ... - Processing triggers for man-db (2.13.1-1) ... - Processing triggers for procps (2:4.0.4-8ubuntu2) ... + #TODO georgia@sec2-questing-amd64:~$ systemctl status apparmor - \u25cf apparmor.service - Load AppArmor profiles - Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: enabled) - Active: active (exited) since Wed 2025-08-27 14:02:26 -03; 6min ago - Invocation: 99a9f158dddb41e195b8047ee23cc015 - Docs: man:apparmor(7) - https://gitlab.com/apparmor/apparmor/wikis/home/ - Process: 5054 ExecReload=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUC> - Main PID: 529 (code=exited, status=0/SUCCESS) - Mem peak: 233.4M - CPU: 7min 24.075s - - Aug 27 14:07:21 sec2-questing-amd64 apparmor.systemd[6511]: Skipping profile in /etc/apparmor> - Aug 27 14:07:28 sec2-questing-amd64 apparmor.systemd[6640]: Skipping profile in /etc/apparmor> - Aug 27 14:07:37 sec2-questing-amd64 apparmor.systemd[6670]: Skipping profile in /etc/apparmor> - Aug 27 14:07:43 sec2-questing-amd64 apparmor.systemd[6715]: Skipping profile in /etc/apparmor> - Aug 27 14:07:47 sec2-questing-amd64 apparmor.systemd[6779]: Warning: found usr.sbin.sssd in /> - Aug 27 14:07:47 sec2-questing-amd64 apparmor.systemd[6779]: Warning from /etc/apparmor.d (/et> - Aug 27 14:07:55 sec2-questing-amd64 apparmor.systemd[6798]: Skipping profile in /etc/apparmor> - Aug 27 14:08:04 sec2-questing-amd64 apparmor.systemd[6830]: Skipping profile in /etc/apparmor> - Aug 27 14:08:04 sec2-questing-amd64 apparmor.systemd[6837]: Skipping profile in /etc/apparmor> - Aug 27 14:08:21 sec2-questing-amd64 systemd[1]: Reloaded apparmor.service - Load AppArmor pro> + #TODO For testing, I ran the QA Regression Tests [2]: Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, first install the apparmor.d package introduced in this FFE, then copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package The result was: - FAILED: disconnected_mount_complain socketpair - make: *** [Makefile:487: alltests] Error 1 + #TODO - - ---------------------------------------------------------------------- - Ran 62 tests in 5035.702s - - FAILED (failures=1, skipped=4) - - Note that these failures are not related to the apparmor.d package and - are also reproducible with apparmor version 5.0.0~alpha1-0ubuntu4 from - the archive. [1] https://github.com/roddhjav/apparmor.d [2] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2121409 Title: [FFE] add a new apparmor.d package containing several apparmor profiles Status in apparmor package in Ubuntu: Triaged Bug description: ## FFE ## This is a Feature Freeze Exception request for questing for the apparmor package and for a new source package called apparmor.d: I'd like to add a new source package called apparmor.d which contains over 1500 profiles from the upstream project apparmor.d [1] These profiles will be added in "complain" mode, which means that for a given action, if the profile rules do not grant permission the action will be allowed, but the violation will be logged with a tag of the access being ALLOWED. This is done because we want to test these profiles and enable others to test and add new rules to eventually improve the profiles. By adding these profiles in a new package which is not installed by default, regular users will not be affected. But users that would like to test and contribute to the profiles can install it. We want to add these profiles, even in complain mode, as a new package (and not part of the apparmor package) because labeling certain binaries could cause issues with existing policy, specially those that use "peer". Additionally, the large amount of profiles do take a while to compile by the parser in the first boot. After that, a cached version of the profiles can be loaded directly into the kernel by the parser which takes considerably less time. Note again that apparmor.d will not be installed by default, so this will only affect users that choose to install it. The benefits of this change is the ability to increase the amount of testing for these profiles, which will then enable us to eventually ship them in enforce mode. More profiles means more confined applications, which could lead to higher security. This is the first step towards that. This FFE also includes the apparmor package because we want to change the suggestion from the apparmor-profiles-extra package, which is no longer maintained and will be deprecated in the future, to the new apparmor.d. This is the PPA containing a built version of apparmor and apparmor.d: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor4/ These are the installation logs: georgia@sec2-questing-amd64:~$ sudo apt install apparmor.d --allow-unauthenticated #TODO georgia@sec2-questing-amd64:~$ systemctl status apparmor #TODO For testing, I ran the QA Regression Tests [2]: Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, first install the apparmor.d package introduced in this FFE, then copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package The result was: #TODO [1] https://github.com/roddhjav/apparmor.d [2] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2121409/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
