Package: apparmor Version: 4.1.0-1 Severity: normal X-Debbugs-Cc: jarl.gullb...@gmail.com
Dear Maintainer, The AppArmor profile for crun that ships with AppArmor 4.1 in Debian 13 is currently rendering crun entirely unusable when enabled. crun utilizes a security feature wherein it copies itself into memory and seals the file descriptor to that portion (create_memfd), however, that functionality appears to be interacting badly with AppArmor. As crun does this as its first operation at startup, crun fails before any useful code can execute and bails out. Here are some relevant logs from executions of crun with the profile in complain and disabled mode, respectively: https://gist.github.com/Nihlus/38b6d32aca1bc3e99f7de2a1ab8973c5 I've included both dmesg (cleared before executing crun) and an strace of both a successful and failing execution. The relevant code in crun that's failing is here: https://github.com/containers/crun/blob/1.21/src/crun.c#L438 Let me know if there's any additional information I can provide. Please ignore the mass of changes to other profiles - I was turning things on and off en masse while testing. -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.12.22-cloud-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor depends on: ii debconf [debconf-2.0] 1.5.91 ii libc6 2.41-7 apparmor recommends no packages. Versions of packages apparmor suggests: pn apparmor-profiles-extra <none> ii apparmor-utils 4.1.0-1 -- Configuration Files: /etc/apparmor.d/1password changed [not included] /etc/apparmor.d/Discord changed [not included] /etc/apparmor.d/MongoDB_Compass changed [not included] /etc/apparmor.d/QtWebEngineProcess changed [not included] /etc/apparmor.d/Xorg changed [not included] /etc/apparmor.d/balena-etcher changed [not included] /etc/apparmor.d/brave changed [not included] /etc/apparmor.d/buildah changed [not included] /etc/apparmor.d/busybox changed [not included] /etc/apparmor.d/cam changed [not included] /etc/apparmor.d/ch-checkns changed [not included] /etc/apparmor.d/ch-run changed [not included] /etc/apparmor.d/chrome changed [not included] /etc/apparmor.d/chromium changed [not included] /etc/apparmor.d/code changed [not included] /etc/apparmor.d/crun changed [not included] /etc/apparmor.d/devhelp changed [not included] /etc/apparmor.d/element-desktop changed [not included] /etc/apparmor.d/epiphany changed [not included] /etc/apparmor.d/evolution changed [not included] /etc/apparmor.d/firefox changed [not included] /etc/apparmor.d/flatpak changed [not included] /etc/apparmor.d/foliate changed [not included] /etc/apparmor.d/geary changed [not included] /etc/apparmor.d/github-desktop changed [not included] /etc/apparmor.d/goldendict changed [not included] /etc/apparmor.d/ipa_verify changed [not included] /etc/apparmor.d/kchmviewer changed [not included] /etc/apparmor.d/keybase changed [not included] /etc/apparmor.d/lc-compliance changed [not included] /etc/apparmor.d/libcamerify changed [not included] /etc/apparmor.d/linux-sandbox changed [not included] /etc/apparmor.d/loupe changed [not included] /etc/apparmor.d/lsb_release changed [not included] /etc/apparmor.d/lxc-attach changed [not included] /etc/apparmor.d/lxc-create changed [not included] /etc/apparmor.d/lxc-destroy changed [not included] /etc/apparmor.d/lxc-execute changed [not included] /etc/apparmor.d/lxc-stop changed [not included] /etc/apparmor.d/lxc-unshare changed [not included] /etc/apparmor.d/lxc-usernsexec changed [not included] /etc/apparmor.d/mmdebstrap changed [not included] /etc/apparmor.d/msedge changed [not included] /etc/apparmor.d/nautilus changed [not included] /etc/apparmor.d/notepadqq changed [not included] /etc/apparmor.d/nvidia_modprobe changed [not included] /etc/apparmor.d/obsidian changed [not included] /etc/apparmor.d/opam changed [not included] /etc/apparmor.d/opera changed [not included] /etc/apparmor.d/pageedit changed [not included] /etc/apparmor.d/polypane changed [not included] /etc/apparmor.d/privacybrowser changed [not included] /etc/apparmor.d/qcam changed [not included] /etc/apparmor.d/qmapshack changed [not included] /etc/apparmor.d/qutebrowser changed [not included] /etc/apparmor.d/rootlesskit changed [not included] /etc/apparmor.d/rpm changed [not included] /etc/apparmor.d/rssguard changed [not included] /etc/apparmor.d/runc changed [not included] /etc/apparmor.d/sbuild changed [not included] /etc/apparmor.d/sbuild-abort changed [not included] /etc/apparmor.d/sbuild-adduser changed [not included] /etc/apparmor.d/sbuild-apt changed [not included] /etc/apparmor.d/sbuild-checkpackages changed [not included] /etc/apparmor.d/sbuild-clean changed [not included] /etc/apparmor.d/sbuild-createchroot changed [not included] /etc/apparmor.d/sbuild-destroychroot changed [not included] /etc/apparmor.d/sbuild-distupgrade changed [not included] /etc/apparmor.d/sbuild-hold changed [not included] /etc/apparmor.d/sbuild-shell changed [not included] /etc/apparmor.d/sbuild-unhold changed [not included] /etc/apparmor.d/sbuild-update changed [not included] /etc/apparmor.d/sbuild-upgrade changed [not included] /etc/apparmor.d/scide changed [not included] /etc/apparmor.d/signal-desktop changed [not included] /etc/apparmor.d/slack changed [not included] /etc/apparmor.d/slirp4netns changed [not included] /etc/apparmor.d/steam changed [not included] /etc/apparmor.d/stress-ng changed [not included] /etc/apparmor.d/surfshark changed [not included] /etc/apparmor.d/systemd-coredump changed [not included] /etc/apparmor.d/toybox changed [not included] /etc/apparmor.d/transmission changed [not included] /etc/apparmor.d/trinity changed [not included] /etc/apparmor.d/tup changed [not included] /etc/apparmor.d/tuxedo-control-center changed [not included] /etc/apparmor.d/userbindmount changed [not included] /etc/apparmor.d/uwsgi-core changed [not included] /etc/apparmor.d/vdens changed [not included] /etc/apparmor.d/virtiofsd changed [not included] /etc/apparmor.d/vivaldi-bin changed [not included] /etc/apparmor.d/vpnns changed [not included] /etc/apparmor.d/wike changed [not included] /etc/apparmor.d/wpcom changed [not included] -- debconf information excluded
