[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
I have implemented a patch for this issue, but before submitting it, I want to understand its origin to determine if other edge cases need to be addressed. Do you know which profile created this issue? Perhaps running sudo grep -r "runbindable*/*" /etc/apparmor.d could help identify the source of this issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
So, the error was related to passt, not apparmor. This is because it uses an incorrect rule in abstractions/passt. By design, rules containing some options, such as runbindable, cannot include a source. I just sent the following patch for passt that should solve your issue https://archives.passt.top/passt- dev/20240517115053.53072-1-maxime.bel...@canonical.com/T/#u , i.e. you need to modify `mount options=(rw, runbindable) /,` in /etc/apparmor.d/abstractions/passt to `mount options=(rw, runbindable) -> /,` That being said, I will probably send a merge request to apparmor so that if in similar cases the source is '/', mount does not fail, thereby preventing similar future errors. ** Changed in: apparmor (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
@Christian Thank you for pointing this out. After investigation, I found that this bug stems from the following restriction not being implemented consistently in aa-* and apparmor_parser. > $ man 2 mount > > If mountflags includes one of MS_SHARED, MS_PRIVATE, MS_SLAVE, or > MS_UNBINDABLE [...] The source, and filesystemtype [...] arguments are > ignored. - In aa-* : source must be empty, or it will trigger an error (cf. this bug). - In apparmor_parser : source and destination cannot be set simultaneously (leading to the behavior you described). Also setting the source or the destination is equivalent. That means that `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are equivalent This bug should be fixed by https://gitlab.com/apparmor/apparmor/-/merge_requests/1236, which aligns the behavior of aa-* to apparmor_parser, since this the latter is more permissive. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
** Changed in: apparmor (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2083435] Re: AppArmor 4.1.0-beta1 contains an ABI break for aa_log_record
This bug is fixed by https://gitlab.com/apparmor/apparmor/-/merge_requests/1345 ** Changed in: apparmor Assignee: (unassigned) => Maxime Bélair (mbelair) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2083435 Title: AppArmor 4.1.0-beta1 contains an ABI break for aa_log_record To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2083435/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067900] Re: apparmor unconfined profile blocks pivot_root
Verification completed on noble kernel 6.8.0-56.58: $ lxc launch ubuntu:24.04 test -c security.nesting=true Launching test $ lxc exec test bash root@test:~# uname -a Linux test 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux root@test:~# apt update; apt install -y docker.io [...] root@test:~# docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. [...] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067900] Re: apparmor unconfined profile blocks pivot_root
** Tags removed: verification-needed-noble-linux ** Tags added: verification-done-noble-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2101869] [NEW] apparmor utils tools cannot parse fusermount3 profile
Public bug reported: On Ubuntu Plucky, apparmor utils tools such as aa-notify, aa-logprof, aa-cleanprof cannot parse fusermount3 profile. $ aa-notify -p skipping unparseable profile /etc/apparmor.d/fusermount3 (Can't parse mount rule mount fstype=fuse options=(nosuid,nodev,rw) revokefs-fuse -> /var/tmp/flatpak-cache-*/**/,) This bug happens because mount rules may include labels as sources, but the existing regex did not permit hyphens, incorrectly marking valid labels like 'revokefs-fuse' as invalid. This bug is fixed in upstream by https://gitlab.com/apparmor/apparmor/-/merge_requests/1565 apparmor-utils version: 4.1.0~beta5-0ubuntu6 ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2101869 Title: apparmor utils tools cannot parse fusermount3 profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2101869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099811] Re: Os-prober segmentation fault one message for each partition on same PC
The profile below should fix this issue on Plucky. You can copy this
file in /etc/apparmor.d/os-prober and load it with sudo apparmor_parser
-r /etc/apparmor.d/os-prober
If you face any issue with this profile don't hesitate to give feedback.
```
#--
#Copyright (C) 2025 Canonical Ltd.
#
#Author: Maxime Bélair
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of version 2 of the GNU General Public
#License published by the Free Software Foundation.
#--
# vim: ft=apparmor
abi ,
include
profile os-prober /usr/bin/os-prober flags=(attach_disconnected) {
include
capability dac_override dac_read_search sys_admin sys_module
sys_rawio,
mount options=(rprivate, rw),
mount options=(rw, nosuid, nodev),
umount,
mqueue getattr,
# os-prober uses a lot of dependencies (dash, find, grep, head, kmod, ...)
# We allow everything in /usr/bin to avoid breakages on dependency updates
file /usr/bin/** ix,
file /usr/lib/os-probes/** ix,
file /usr/sbin/blkid ix,
file /usr/sbin/lvm ix,
file /usr/sbin/grub-probe ix,
# os-prober may read the whole filesystem
file /{,**} r,
file /dev/fuse w,
file /dev/mapper/control w,
file /run/blkid/blkid.* wl,
file /run/lock/lvm/* wk,
file /run/lvm/hints wk,
file /run/blkid/blkid.* wl,
file /tmp/os-prober.*/{,**} w,
file /var/lib/os-prober/mount/ w,
file /var/lib/os-prober/labels wl,
userns,
}
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2099811
Title:
Os-prober segmentation fault one message for each partition on same PC
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2099811/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2099811] Re: Os-prober segmentation fault one message for each partition on same PC
Indeed, a profile for linux-boot-prober is also needed. Find it below.
Again, if you face any issue with these two profiles don't hesitate to
give feedback.
```
#--
# Copyright (C) 2025 Canonical Ltd.
#
# Author: Maxime Bélair
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#--
#vim ft=apparmor
abi ,
include
profile linux-boot-prober /usr/bin/linux-boot-prober
flags=(attach_disconnected) {
include
capability dac_read_search sys_admin,
mount options=(rprivate, rw) -> /,
mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/,
umount,
# linux-boot-prober uses a lot of dependencies: we allow everything
# in /usr/bin to avoid breakages on dependency updates
file /usr/bin/* ix,
file /usr/lib/linux-boot-probes/** ix,
file /usr/sbin/grub-probe ix,
file /usr/sbin/blkid ix,
file /dev/fuse w,
file /dev/mapper/control w,
file /mounted-map w,
file /tmp/os-prober.*/{,*} w,
file /var/lib/os-prober/mount/ w,
# linux-boot-prober may read the whole filesystem
file /{,**} r,
}
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2099811
Title:
Os-prober segmentation fault one message for each partition on same PC
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2099811/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2102694] Re: dangerous "sanitized_helper" contains /** rwkl,
The sanitized_helper profile is designed to be as generic as possible to
make it work with most binaries when a more restrictive profile is
unavailable.
As you pointed out, this approach raises several concerns:
- The security level of this profile is only slightly above unconfined, which
can undermine the security level of profiles using them.
- This profile can give a false sense of security.
- In most cases, a more restrictive profile could be applied one without
breakage.
To address these concerns, we can either :
(1) Create variants of this profile tailored for different scenarios.
(2) Stack this profile to a more restrictive one when possible.
(3) Retain the profile as-is, using it only as a last resort.
IMO, the first option is the most practical short-term solution, as it
could reduce risks with only a limited effort.
For instance, slightly more restricted variants could include:
- Slightly more restrictive files rules (include
)
- Deny writes on known executable locations ( e.g.
/{,usr/,usr/local/}{sbin,bin}/*)
- Denying network access when not needed by not using “network inet,”
Obviously, these rules cannot work for all helpers, thus using these
variants would require testing in order to avoid breakages, but I guess
that could be a first step.
Additionally, when a profile exists specifically for a binary (evince,
firefox, …) , we should use it directly, and not rely on this generic
profile (or stack both)?
The long term solution remains to create tight profiles for all known
binaries, but we are definitely not there yet.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2102694
Title:
dangerous "sanitized_helper" contains /** rwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102694/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
This issue is fixed by 1f33fc9b29c174698fdf0116a4a9f50680ec4fdb, however it is not included in the 4.0 branch used by noble. Oracular and Plucky are not affected by this bug. To fix that locally, you can either: - Replace `mount "" -> "/tmp/",` by `mount -> "/tmp/",` (and similarly for other empty mount sources), as pointed out by @jyrg. - Use a more recent version of AppArmor that includes this commit (or cherry-pick it). @jjohansen Do you think it is worth applying a fix for this in noble? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103524] Re: lsblk apparmor profile denies block device lookup on Azure
Thank you for reporting this bug. Indeed, we must give access to `/sys/devices/LNXSYSTM:*/LNXSYBUS:*/**` to lsblk. This should be fixed upstream by https://gitlab.com/apparmor/apparmor/-/merge_requests/1584 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2103524 Title: lsblk apparmor profile denies block device lookup on Azure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2103524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067900] Re: apparmor unconfined profile blocks pivot_root
Verification completed on oracular kernel linux-intel/6.11.0-1008.8 # lxc launch ubuntu:24.10 test -c security.nesting=true Launching test # lxc exec test bash Linux test 6.11.0-1008-intel #8 SMP PREEMPT_DYNAMIC Wed Mar 19 16:31:19 CET 2025 x86_64 x86_64 x86_64 GNU/Linux root@test:~# apt update; apt install -y docker.io [...] root@test:~# docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. [...] ** Tags removed: verification-needed-oracular-linux-intel ** Tags added: verification-done-oracular-linux-intel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067900] Re: apparmor unconfined profile blocks pivot_root
Verified that the patch was applied to branch linux-nvidia- tegra/6.8.0-1004.4 ** Tags removed: verification-needed-noble-linux-nvidia-tegra ** Tags added: verification-done-noble-linux-nvidia-tegra -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2095370] Re: AppArmor early policy load not funcitoning
Verified that the patch was applied to branch linux-nvidia- tegra/6.8.0-1004.4 ** Tags removed: verification-needed-noble-linux-nvidia-tegra ** Tags added: verification-done-noble-linux-nvidia-tegra -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2095370 Title: AppArmor early policy load not funcitoning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2095370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
