A fix was committed for this in AppArmor upstream in trunk revision 2901 and on the 2.9 branch in revision 2870.
** Changed in: apparmor Status: Confirmed => Fix Committed ** Changed in: apparmor Milestone: None => 2.9.2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1432045 Title: pivot_root audit modifier ignored when oldroot and newroot specified Status in AppArmor Linux application security framework: Fix Committed Status in apparmor package in Ubuntu: Fix Released Bug description: $ echo "/t { pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum 422b222b6608dff7aca3420062aad3db - $ echo "/t { audit pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum 422b222b6608dff7aca3420062aad3db - $ echo "/t { audit deny pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum 9e598c327781b16acdab2d3e939279ec - Note that the audit modifier doesn't change the binary policy file but the audit deny modifier does. Also, the binary policy file changes as expected on "audit pivot_root," and "audit pivot_root oldroot=/,". That is, this bug only seems to happen when oldroot and newroot are both specified. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1432045/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp