Public bug reported:
Since Dec 4 2025 my log files have seen numerous messages like this:
apparmor="DENIED" operation="open" profile="snap.canonical-
livepatch.canonical-livepatch" name="/proc/3985345/mountinfo"
pid=3985345 comm="canonical-livep" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=1000
I see that the AppArmor profile in /var/lib/snapd/apparmor/profiles/ was
updated on Dec 3 which points to a likely explanation! I cannot claim
sufficient expertise in AppArmor to fully understand the syntax, but I
see there are many entries such as:
@{PROC}/@{pid}/stat r,
Which appear to explicitly allow a read of the process' entry in /proc,
but there is no mention of the 'mountinfo' parameter, suggesting that
has either been removed from the AppArmour profile, or it is now queried
by the snap package but has not (yet) been allowed.
Related information:
Description: Ubuntu 20.04.6 LTS
Release: 20.04
ubuntu-advantage-tools:
Installed: 37.1ubuntu0~20.04
Candidate: 37.1ubuntu0~20.04
Version table:
*** 37.1ubuntu0~20.04 500
500 http://gb.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
500 http://gb.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages
100 /var/lib/dpkg/status
20.3 500
500 http://gb.archive.ubuntu.com/ubuntu focal/main amd64 Packages
I would expect the livepatch process to function without triggering
DENIED behaviour by its related AppArmor profile.
** Affects: ubuntu-advantage-tools (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2134324
Title:
livepatch blocked by apparmor for mountinfo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2134324/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
