Hi Andreas, thanks for you details reply and questions; and sorry for the really long delay. Sickness and offline family vacation jumped in between, next replies will come faster!
> a) [...] > There is an obvious name mismatch, but the thing is, the name of the file > doesn't matter. > An apparmor profile named "/usr/bin/lxc-start" will be > created by the above profile, and > it will attach to the executable /usr/bin/lxc-start, not to /usr/bin/lxc-copy. > > So in reality, /usr/bin/lxc-copy is NOT confined. Can you please elaborate on > what is > breaking for you? Running lxc-copy for unprivileged containers fails for us, see error messages I (a few seconds ago) pasted into the bug description. A colleage pointed me to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user- namespaces and this matches our view on the actual situation. Fixing the profile file for lxc-copy helps *really* when attempting to copy containers unprivileged here. But I have no clue, why the other unconfined profiles do not have such an impact. > b) d/changelog thanks for the hints, changelog entry is fixed. > c) Bug description again: thanks for hints and links. I added and filled-on the SRU bug description by best knowledge. Do you think this is complete enough? Or do you see more open/missing points? Thanks a lot and kind regards, Nicolas ** Patch added: "[PATCH v2] apparmor: lxc-copy: Replace mistyped filename lxc-start by lxc-copy" https://bugs.launchpad.net/ubuntu/noble/+source/lxc/+bug/2080358/+attachment/5836401/+files/v2-0001-apparmor-lxc-copy-Replace-mistyped-filename-lxc-star.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2080358 Title: liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule for lxc-start To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2080358/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
