It might be ok. It's my understanding that the cups-browsed postinst, which called apparmor_parser, does not change the loaded profile (because of the undefined variable), but the last "reloading apparmor profiles" at the end of the transaction will do it. But I'm going to confirm that.
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/2123870 Title: apparmor several profiles incompatible with new coreutils scheme Status in akonadi package in Ubuntu: In Progress Status in apparmor package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Invalid Status in chrony package in Ubuntu: Invalid Status in clamav package in Ubuntu: Invalid Status in cups-browsed package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Invalid Status in evince package in Ubuntu: In Progress Status in libvirt package in Ubuntu: In Progress Status in pollinate package in Ubuntu: Confirmed Status in postsrsd package in Ubuntu: Invalid Status in surf package in Ubuntu: In Progress Status in swtpm package in Ubuntu: Invalid Status in tcpdump package in Ubuntu: Invalid Status in tor package in Ubuntu: Invalid Status in torbrowser-launcher package in Ubuntu: Invalid Status in ubuntu-advantage-tools package in Ubuntu: In Progress Status in unbound package in Ubuntu: Invalid Bug description: apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils binaries are incompatible with gnu-coreutils v. 9.5-1ubuntu2 released on May 08, 2025. Minimally this looks to affect wg-quick profile. But there may be other profiles that are affected. gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink and 105 other utilities in /usr/bin which point to /usr/bin/gnu<toolname>. Apparmor resolves the symlink to the real target path which then breaks any apparmor profile which referenced the format /usr/bin or /usr/sbin utility name. The result is many DENIED operations for any symlinked gnu-coreutils command. This bug appears to affect any apparmor profile in Ubuntu questing which happens to set file-based mediation rules for any of the symlinked utilities below: Any profile which has specific file rules related to these utilities will likely have DENIED messages in Ubuntu questing of the format: pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757951720.114:447): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Symlinked utilities due to gnu-coreutils: /usr/bin/arch /usr/bin/b2sum /usr/bin/base32 /usr/bin/base64 /usr/bin/basename /usr/bin/basenc /usr/bin/cat /usr/bin/chcon /usr/bin/chgrp /usr/bin/chmod /usr/bin/chown /usr/bin/cksum /usr/bin/comm /usr/bin/cp /usr/bin/csplit /usr/bin/cut /usr/bin/date /usr/bin/dd /usr/bin/df /usr/bin/dir /usr/bin/dircolors /usr/bin/dirname /usr/bin/du /usr/bin/echo /usr/bin/env /usr/bin/expand /usr/bin/expr /usr/bin/factor /usr/bin/false /usr/bin/fmt /usr/bin/fold /usr/bin/groups /usr/bin/head /usr/bin/hostid /usr/bin/id /usr/bin/install /usr/bin/join /usr/bin/link /usr/bin/ln /usr/bin/logname /usr/bin/ls /usr/bin/md5sum /usr/bin/mkdir /usr/bin/mkfifo /usr/bin/mknod /usr/bin/mktemp /usr/bin/mv /usr/bin/nice /usr/bin/nl /usr/bin/nohup /usr/bin/nproc /usr/bin/numfmt /usr/bin/od /usr/bin/paste /usr/bin/pathchk /usr/bin/pinky /usr/bin/pr /usr/bin/printenv /usr/bin/printf /usr/bin/ptx /usr/bin/pwd /usr/bin/readlink /usr/bin/realpath /usr/bin/rm /usr/bin/rmdir /usr/bin/runcon /usr/bin/seq /usr/bin/sha1sum /usr/bin/sha224sum /usr/bin/sha256sum /usr/bin/sha384sum /usr/bin/sha512sum /usr/bin/shred /usr/bin/shuf /usr/bin/sleep /usr/bin/sort /usr/bin/split /usr/bin/stat /usr/bin/stdbuf /usr/bin/stty /usr/bin/sum /usr/bin/sync /usr/bin/tac /usr/bin/tail /usr/bin/tee /usr/bin/test /usr/bin/timeout /usr/bin/touch /usr/bin/tr /usr/bin/true /usr/bin/truncate /usr/bin/tsort /usr/bin/tty /usr/bin/uname /usr/bin/unexpand /usr/bin/uniq /usr/bin/unlink /usr/bin/users /usr/bin/vdir /usr/bin/wc /usr/bin/who /usr/bin/whoami /usr/bin/yes /usr/sbin/chroot ### steps to reproduce lxc launch ubuntu-daily:questing --vm kvm-q lxc exec kvm-q bash apt-get update --yes apt-get install wireguard-tools --yes modprobe wireguard su - ubuntu umask 077 wg genkey > wg0.key wg pubkey < wg0.key > wg0.pub <CTRL-D> root@kvm-q:~# KEY=`cat /home/ubuntu/wg0.key` root@kvm-q:~# PUBKEY=`cat /home/ubuntu/wg0.pub` root@kvm-q:~# cat > /etc/wireguard/wg0.conf <<EOF [Interface] Address = 192.168.254.1/32 ListenPort = 51820 PrivateKey = ${KEY} [Peer] PublicKey = ${PUBKEY} AllowedIPs = 192.168.254.2/32 EOF systemctl restart wg-quick@wg echo $? journalctl -u [email protected] ``` Sep 15 17:49:19 kvm-q systemd[1]: Starting [email protected] - WireGuard via wg-quick(8) for wg... Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11: /usr/bin/readlink: Permission denied Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Main process exited, code=exited, status=126/n/a Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Failed with result 'exit-code'. Sep 15 17:49:19 kvm-q systemd[1]: Failed to start [email protected] - WireGuard via wg-quick(8) for wg. ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadi/+bug/2123870/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
