That's correct - it ships unconfined, but when set to complain or enforce crun is unusable.
It's fairly common to require all installed apparmor profiles to be set as enforcing when doing security audits / certifications (or have a damn good documented reason why it's not), which is how I stumbled over this. It was working in Debian 12, though saying that I'm actually not sure if a crun profile was shipped at all in bookworm. On Tue, 6 May 2025, 14:48 intrigeri, <intrig...@debian.org> wrote: > Control: tag -1 + moreinfo > > Hi, > > Jarl Gullberg (2025-05-02): > > The AppArmor profile for crun that ships with AppArmor 4.1 in Debian 13 > is currently > > rendering crun entirely unusable when enabled. > > What do you mean with "when enabled" here? > > I'm asking because: > > - This profile is intentionally shipped in unconfined mode, as > explained in the comment on top of the file. > > - In this default configuration, on current sid, crun fails with > "please specify a command", which matches what I understand is your > desired successful status, and not the failure (where I would see > "Failed to re-execute libcrun via memory file descriptor"). > > If by "when enabled" you mean "when manually switched from unconfined > to complain mode", then I think that's 1 other instance of "complain > mode blocks stuff when it should not", which IIRC is tracked > upstream somewhere. Other limitations include "'deny' rules will be > enforced even in complain mode" (quoting aa-complain(8)). > > Cheers, > -- > intrigeri >
