The bug was caused by a commit [1] in the Ubuntu kernel that would change the kernel features hash based on the status of the userns and io_uring restriction. When the policy cache was generated, userns restriction would be available and the hash under /etc/apparmor/earlypolicy/ would match the set of features with userns enabled, but when systemd executed at boot, the permission was disabled, causing the hash mismatch, so no policy would be loaded.
[1] https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/noble/commit/?id=8bd4ee319a029669787588e648bce3c28adf4369 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2095370 Title: AppArmor early policy load not funcitoning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2095370/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
