Control: tag -1 + moreinfo Hi,
Jarl Gullberg (2025-05-02): > The AppArmor profile for crun that ships with AppArmor 4.1 in Debian 13 is > currently > rendering crun entirely unusable when enabled. What do you mean with "when enabled" here? I'm asking because: - This profile is intentionally shipped in unconfined mode, as explained in the comment on top of the file. - In this default configuration, on current sid, crun fails with "please specify a command", which matches what I understand is your desired successful status, and not the failure (where I would see "Failed to re-execute libcrun via memory file descriptor"). If by "when enabled" you mean "when manually switched from unconfined to complain mode", then I think that's 1 other instance of "complain mode blocks stuff when it should not", which IIRC is tracked upstream somewhere. Other limitations include "'deny' rules will be enforced even in complain mode" (quoting aa-complain(8)). Cheers, -- intrigeri
