** Description changed: Description/Rationale: Network interface mediation is a feature dependent on kernel support which allows restricting network access based on the interface that communication can be sent on by specifying the interface= conditional. eg. network inet interface=eth0 port=8080, If a rule does not specify the interface conditional, it does not restrict the interface that can be used. The interface conditional is limited to the inet, and inet6 address families, and currently only uses the SecMark label, this means the packet label is limited to use on host and is not carried across the network. Note that this new feature is under a new ABI, which does not affect existing policy, and can be used by customers that are intentionally trying to mediate network interface. Since that's the case, this feature has a low regression potential, since there is no change on current policy shipped by Ubuntu. While we build the package, the changes to the source code are in https://gitlab.com/georgiag/apparmor/-/commits/iface5.0-beta1?ref_type=heads (5 patches committed Mar 19, 2026) -------------------------------------------------------------------------- The package has been successfully built locally and can also be accessed as 5.0.0~beta1-0ubuntu5~ppa1 from a PPA build at https://launchpad.net/~rlee287/+archive/ubuntu/apparmor- staging/+packages. - # TODO: install logs - # TODO: upgrade logs + Upgrade log: - #TODO add verification that the new package: Builds, Installs, Upgrades, - Does not break packages depending on it (or that corresponding updates - have been prepared) + $ sudo apt upgrade + Upgrading: + apparmor libapparmor1 + + Summary: + Upgrading: 2, Installing: 0, Removing: 0, Not Upgrading: 0 + Download size: 534 kB + Freed space: 243 kB + + Continue? [Y/n] y + Get:1 http://192.168.122.1/debs/testing resolute/ libapparmor1 5.0.0~beta1-0ubuntu5~ppa1 [49.7 kB] + Get:2 http://192.168.122.1/debs/testing resolute/ apparmor 5.0.0~beta1-0ubuntu5~ppa1 [484 kB] + Fetched 534 kB in 0s (49.9 MB/s) + Preconfiguring packages ... + (Reading database… 198829 files and directories currently installed.) + Preparing to unpack …/libapparmor1_5.0.0~beta1-0ubuntu5~ppa1_amd64.deb… + Unpacking libapparmor1:amd64 (5.0.0~beta1-0ubuntu5~ppa1) over (5.0.0~beta1-0ubun + tu3)… + Preparing to unpack …/apparmor_5.0.0~beta1-0ubuntu5~ppa1_amd64.deb… + Unpacking apparmor (5.0.0~beta1-0ubuntu5~ppa1) over (5.0.0~beta1-0ubuntu3)… + Setting up libapparmor1:amd64 (5.0.0~beta1-0ubuntu5~ppa1)… + Setting up apparmor (5.0.0~beta1-0ubuntu5~ppa1)… + Installing new version of config file /etc/apparmor.d/abstractions/transmission- + common… + Reloading AppArmor profiles + Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain + mode + Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching di + sabled for: 'usr.sbin.sssd' due to force complain + Processing triggers for libc-bin (2.43-2ubuntu1)… + Processing triggers for systemd (259.3-0ubuntu1)… + Processing triggers for man-db (2.13.1-1build1)… + Processing triggers for procps (2:4.0.4-9ubuntu1)… + + Install log (after manual uninstall, as apparmor is installed by default): + $ sudo apt install apparmor + [sudo: authenticate] Password: + Installing: + apparmor + + Suggested packages: + apparmor-profiles-extra apparmor-utils + + Summary: + Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0 + Download size: 484 kB + Space needed: 2,230 kB / 7,816 MB available + + Get:1 http://192.168.122.1/debs/testing resolute/ apparmor 5.0.0~beta1-0ubuntu5~ppa1 [484 kB] + Fetched 484 kB in 0s (0 B/s) + Preconfiguring packages ... + Selecting previously unselected package apparmor. + (Reading database… 198688 files and directories currently installed.) + Preparing to unpack …/apparmor_5.0.0~beta1-0ubuntu5~ppa1_amd64.deb… + Unpacking apparmor (5.0.0~beta1-0ubuntu5~ppa1)… + Setting up apparmor (5.0.0~beta1-0ubuntu5~ppa1)… + Reloading AppArmor profiles + AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.lib.sna + pd.snap-confine.real at line 13: Could not open '/var/lib/snapd/apparmor/snap-co + nfine' + Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain + mode + Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching di + sabled for: 'usr.sbin.sssd' due to force complain + Error: At least one profile failed to load + Processing triggers for systemd (259.3-0ubuntu1)… + Processing triggers for man-db (2.13.1-1build1)… + Processing triggers for procps (2:4.0.4-9ubuntu1)… -------------------- This FFe has been tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output is attached in a comment below. -------------------------------------------------------------------------- Output of seeded-in-ubuntu: $ seeded-in-ubuntu apparmor apparmor (from apparmor) is seeded in: edubuntu: daily-live, daily-preinstalled kubuntu: daily-live lubuntu: daily-live ubuntu-budgie: daily-live ubuntu-core-installer: daily-live ubuntu-mate: daily-live ubuntu-server: daily-live, daily-preinstalled ubuntu-unity: daily-live ubuntu-wsl: daily-live ubuntu: daily-dangerous, daily-live, daily-preinstalled ubuntucinnamon: daily-live ubuntukylin: daily-live ubuntustudio: daily-live xubuntu: daily-live, daily-minimal apparmor-profiles (from apparmor) is seeded in: ubuntu: supported apparmor-utils (from apparmor) is seeded in: ubuntu: supported libapache2-mod-apparmor (from apparmor) is seeded in: ubuntu: supported libapparmor-dev (from apparmor) is seeded in: ubuntu: supported libapparmor1 (from apparmor) is seeded in: edubuntu: daily-live, daily-preinstalled kubuntu: daily-live lubuntu: daily-live ubuntu-budgie: daily-live ubuntu-core-installer: daily-live ubuntu-mate: daily-live ubuntu-server: daily-live, daily-preinstalled ubuntu-unity: daily-live ubuntu-wsl: daily-live ubuntu: daily-dangerous, daily-live, daily-preinstalled ubuntucinnamon: daily-live ubuntukylin: daily-live ubuntustudio: daily-live xubuntu: daily-live, daily-minimal libpam-apparmor (from apparmor) is seeded in: ubuntu: supported python3-apparmor (from apparmor) is seeded in: ubuntu: supported python3-libapparmor (from apparmor) is seeded in: ubuntu: supported
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2144679 Title: FFe: add network interface mediation to 26.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2144679/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
