Looking at this a bit closer with fresher eyes today. As far as I can tell, there is no strong reason to add lsm_set_self_attr to any of the default groups right now. Nor is there a need to add it to pipewire-pulse.service's SystemCallFilter=. The pipewire code only calls aa_getcon and aa_getpeercon, which only requires lsm_get_self_attr. I think that lsm_set_self_attr would mostly be needed by code that calls aa_change_profile, aa_stack_profile, etc.
From some quick codesearch[1], it seems that aa_getcon etc. is used in a few places like this for programs to guide integration with apparmor and/or snapd. While I am not sure if all of those places are also using systemd services with seccomp filtering, it's fair nonetheless to add lsm_list_modules and lsm_get_self_attr to a default group. [1] https://codesearch.debian.net/search?q=aa_getcon&literal=1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142428 Title: pipewire-pulse crashes when snap clients connect because libapparmor 5.0's new lsm_get_self_attr syscall is blocked by the service's seccomp filter To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2142428/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
