Hello Maxime,
Thank you for the response and the MR to prevent accidental mode changes on
unconfined profiles.
I believe there is a slight versioning discrepancy between the latest
package and the current Ubuntu Noble (24.04) package. While you are
referencing a profile with flags=(unconfined) and abi <abi/5.0> in the
gitlab issue, the profile currently shipped in Noble (AppArmor 4.0.1)
looks like this:
abi <abi/4.0>,
include <tunables/global>
profile runc /usr/sbin/runc {
userns,
include if exists <local/runc>
}
As you can see, the flags=(unconfined) is missing in the Noble-shipped
version. Because the flag is absent, running aa-enforce (which is a
requirement for our CIS hardening compliance) causes AppArmor to treat
this as a standard restrictive profile.
I have successfully mitigated this locally by adding the library
abstractions, but it seems the long-term fix for Noble should be to
align the profile with the latest version you mentioned (adding the
unconfined flag).
Please let me know If I am missing something or you need more
information in this regard.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142545
Title:
AppArmor runc profile restriction on Ubuntu 24.04 (Noble) due to ABI
4.0/5.0 mismatch in Anthos on VMware images
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/2142545/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
