From some quick testing, it looks like this impacts the --container and --private-users flags specifically. It makes the latter unusable:
root@q-vm:~# SYSTEMD_LOG_LEVEL=debug systemd-detect-virt --container Failed to test if in root cgroup namespace, ignoring: Permission denied Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Failed to test if in root PID namespace, ignoring: Permission denied Found container virtualization none. none with denials: [Tue Sep 9 15:22:15 2025] audit: type=1400 audit(1757431335.063:279): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1320 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [Tue Sep 9 15:22:15 2025] audit: type=1400 audit(1757431335.065:280): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1320 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ---- root@q-vm:~# SYSTEMD_LOG_LEVEL=debug systemd-detect-virt --private-users Failed to test if in root user namespace, ignoring: Permission denied /proc/self/uid_map has a full 1:1 mapping /proc/self/gid_map has a full 1:1 mapping /proc/self/setgroups: Permission denied Failed to check for user namespace: Permission denied with denials: [Tue Sep 9 15:22:58 2025] audit: type=1400 audit(1757431378.096:281): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1321 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [Tue Sep 9 15:22:58 2025] audit: type=1400 audit(1757431378.098:282): apparmor="DENIED" operation="open" class="file" profile="systemd-detect-virt" name="/proc/1321/setgroups" pid=1321 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 The disconnected path errors are weird, and sounds like an internal apparmor issue IIRC. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121248 Title: DENIED messages attributable to systemd-detect-virt profile appearing in AppArmor logs on Questing machines To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2121248/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
