It not so much that apparmor doesn't like spaces as the audit subsystem
doesn't, and since apparmor uses that to do its auditing ...
But you are correct that profiles names shouldn't contain spaces because
of this. The profile name will get updated to probably MongoDB_Compass
--
You received thi
reading how booting into Windows fixes the issue, my initial gut
instinct is that it's a driver issue. Searching around led me:
https://github.com/thiagotei/linux-realtek-alc287/tree/main/lenovo-
legion
and eventually
https://bugzilla.kernel.org/show_bug.cgi?id=208555#c294
which seems to point
Public bug reported:
Following public spec here:
https://discourse.ubuntu.com/t/ubuntu-server-seed-changes-
for-25-10/61552
Update the Ubuntu server seeds with the following:
* move `screen` to a supported seed. no longer in meta
* drop `byobu` to universe, removing from all seeds
* cloud-guest
*** This bug is a duplicate of bug 2102680 ***
https://bugs.launchpad.net/bugs/2102680
** This bug has been marked a duplicate of bug 2102680
Installation of AppArmor on a 6.14 kernel produces error message "Illegal
number: yes"
--
You received this bug notification because you are a mem
This looks to be caused by incus using change_profile to change
confinement. AppArmor is allowing this but only to a point creating a
stack of the incus policy and unconfined. We will need to investigate
the specifics of exactly what is going on here. But in the mean time you
should be able to work
** Also affects: apparmor/3.1
Importance: Undecided
Status: New
** Also affects: apparmor/master
Importance: Undecided
Status: New
** Also affects: apparmor/2.12
Importance: Undecided
Status: New
** Also affects: apparmor/4.0.3
Importance: Undecided
Status
On 4/3/25 06:52, r.fabb...@gmail.com wrote:
> Installed apparmor-utils package and aa-complain is ok now.
> But i never did editing in apparmor.d files before yesterday, and on 24.04
> lsusb was not complaining.
> After upgrading to 25.04 it started the problem.
> So really strange to have a .save
I have done further investigation and have since found out that the problem is
not with Firefox. I have solved the issue by stopping systemd-oom service and
purging its package.
Further it is alleged that there is no point in having that service in that the
Linux kernel performs its function.
@r-fabbeni
if you have done local edits on the profile file dpkg/apt when they
install a new version will move your locally edited version to .save
when it installs the new version. I would assume the addition of
flags=(complain) was a local addition, possibly done with aa-complain.
as for the aa
Is gnome papers looking for a smart key or similar device, the tpm?
Giving it full access to the /sys/devices/ tree is certainly more than
it needs.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://
this looks like at a minimum the apparmor profile needs to be updated.
This needs to be done before any other kernel work. Adding an apparmor
task
lsblk trace shows
openat(AT_FDCWD, "/sys/block/sr0/hidden", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission denied)
openat(AT_FDCWD, "/sys/block/sr0/dev
I suggest that you look at my message of 25/02/2025.
Also, when I stop the systemd-oomd service and purge its package, there is no
longer any memory leak.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
htt
Nick,
I'm not impressed by your attitude. I have provided logs etc.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2097016
Title:
systemd-oomd package causes iconstant inc
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => In Progress
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (
This has been traced to the compatibility patches in the kernel, and
will need a kernel fix.
** Changed in: linux (Ubuntu Plucky)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which
^^^
AssertionError: 1 != 0 : Got exit code 0, expected 1
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: apparmor (Ubuntu Plucky)
Imp
The plan is to attempt another SRU bwrap-userns-restrict along with a
few other profiles that are needed. The previous attempt was reverted,
there ave been several revisions, and we are getting ready to try it
again.
--
You received this bug notification because you are a member of Ubuntu
Touch s
The sanitized_helper is an escape hatch, and is only slightly better
than using ux directly within the profile. It exists because Ubuntu
doesn't carry a complete policy yet (a lot of the system is unconfined),
and because environment variable sanitization either breaks the child
application being p
@paride: RE: aa-notify
aa-notify does not require the desktop-security-center snap. The
desktop-security-center snap is required for permissions prompting which
is a different feature, that is only available to snaps atm*.
aa-notify is after the fact updating of the profile similar to using aa-
l
the denials I am seeing in the grub.cfg show linux-boot-probe is now the
failing command. Like os-prober, linux-boot-prober is using unshare to
create a user namespace and getting transitioned into the
unprivileged_unshare profile stack.
--
You received this bug notification because you are a mem
** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2100745
Title:
Fix apparmor tools par
assigned and added `todo` for triaging and deciding on next steps.
** Changed in: netplan.io (Ubuntu)
Assignee: (unassigned) => Lukas Märdian (slyon)
** Tags removed: server-triage-discuss
** Tags added: server-todo
--
You received this bug notification because you are a member of Ubuntu
T
** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2100744
Title:
Fix parse fai
also
deny / r,
to silence the denial there seems appropriate
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2101180
Title:
Multiple DENIED apparmor messages when using
So I think its not unreasonable to add
/var/ r,
/var/log/ r,
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2101180
Title:
Multiple DENIED apparmor messages when using rs
Public bug reported:
My Ubuntu screensaver does not blank the screen, ie, it does not turn
off the backlights on my monitor.
I dual boot, and my Win10 install does it with no problems, so it's not
a hardware thing.
What happens is after a period of inactivity, Ubuntu will put up the
lock screen
@aleasto, no they aren't desktop applications. That doesn't mean access
to keys in a users directory can't be routed to the affected user as a
permission request (at least in a desktop environment).
Nor does it mean that the gui interface for network manager, can't act
as at a privilege layer for
atm It looks that way, there certainly should be some though
comment #4's
@{HOME}/.cert/nm-openvpn/* r,
seems reasonable. We will have to look into others
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Public bug reported:
The fix for lp2100295 caused the python based aa-* tools to crash on any
and all policy due to a parsing error.
This bug tracks the fix for the parsing bug in the aa-* tools that
caused the aa-tools to crash. Which is tracked in upstream MR
https://gitlab.com/apparmor/apparmo
Right, once the reason for the use of the mount namespace was understood
it was clear that it is needed. The current proposed fix is to not
disable mount namespaces but create a more limited proper profile. This
is now being worked on and will hopefully be ready soon.
--
You received this bug not
So the problem with Alex's fix is that it makes a default allow profile
available on the default install. Which is a security hole unless the
apparmor_restrict_unprivileged_unconfined restriction is enabled, by
default.
We tolerate the sbuild profile because it is not installed by default,
and it
The fix for the parse bug, triggered by the fix for the lp2100295 is tracked by
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2100745
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.l
Public bug reported:
The fix for https://bugs.launchpad.net/bugs/2100295 resulted in mount
rules in fusermount3 that caused all python aa-* tools to crash because
parsing of the new fusermount3 profile rules failed.
The this blocked merge of the fix for the fusermount3 profile in upstream
https:/
Currently there isn't a good way to set the flags on a profile without
editing the local copy. There is an overlay mechanism coming, but it has
not landed yet. There is also another mechanism for dealing with
disconnected object coming. But until these extensions land there is a
way to do local pro
@xypron:
policy can be shipped as part of the package, or part of the system
policy. Atm unless there is a good reason, or an active package
maintainer who wants to maintain the policy, profiles are being shipped
as part of system policy, in the apparmor package.
--
You received this bug notific
So there is a tension here between users and security. There is no
perfect solution. Allowing openvpn full access to all the users files
has security implications, denying access has usability implications.
As unsatisfying as it is we are working towards a long term solution,
but are not there yet
temporary fix
sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns
or to make it persist after reboot
sudo aa-disable /etc/apparmor.d/unprivileged_userns
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubu
The first denial I am seeing is for netlink. So
network (create) netlink raw,
I am assuming once it is allowed creation of the netlink socket their
will be addition permissions needed.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is sub
possible skip for now, as delta is package cleaning.
** Changed in: bridge-utils (Ubuntu Plucky)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bridge-utils in Ubuntu.
https://bugs.launchpad.
I have a feeling that this memory problem is caused by Firefox because when I
close Firefox , wait a minute and start Firefox again, the memory reduces to
normal. Under what package should I report this using ubuntu-bug as reporting
it as the firefox package says that the firefox package is not
So what do I do?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2097016
Title:
systemd-oomd package causes iconstant increase in memory usage
Status in systemd package in
john@Desktop:~$ journalctl -u systemd-oomd.service -b
-- No entries --
ops command output:
john@Desktop:~$ ps aux --sort -%mem | head -n 10
USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND
john7698 0.3 4.8 12766736 770840 ? Sl Jan31 16:25
/snap/firefox
Here is log after task managaer showed it as RAM usage of 11GB. It
increased in a few minutes from resinstalling systemd-oomd.
I've alraedy given you the same for before the reinstall.
What else do you need?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded p
john@Desktop:~$ journalctl -u systemd-oomd.service -b
-- No entries --
As I said before after I uninstall systemd-oomd, there is no memory
problem.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https
Please tell me which log (s) you require.
Memory Usage (after systemd-oomd removed_ shown in attached Task manager
screenshot.
Memory usage (before systemd-oomd removed) I don't have and I don't really want
to reinstall systemd-oomd just to show the memory usage increasing.
Also, memory usage bef
Public bug reported:
The memory usage was constantly increasing (starting at approx 6GB and rising
to at least 15GB and eventually the OS hung, my guess it being that it ran out
of RAM even though I was doing nothing except refreshing Firefox tabs. I'm
running Noble (upgraded from 2022 LTS) on
In my testing this does work with the bwrap profile that is in the beta
and will land soon.
You can try it yourself by downloading
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/bwrap-
userns-restrict?ref_type=heads
and then running the command
$ apparmor_pa
** Tags removed: server-triage-discuss
** Tags added: server-todo
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python3-defaults in
Ubuntu.
https://bugs.launchpad.net/bugs/2095584
Title:
open-iscsi: ubuntu-only test needs
There will be a new bwrap profile landing in plucky soon that should
hopefully fix most cases. The use case it doesn't fix is the exe being
launched by bwrap requiring capabilities in the unprivileged user
namespace.
--
You received this bug notification because you are a member of Ubuntu
Touch s
** Tags added: server-triage-discuss
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python3-defaults in
Ubuntu.
https://bugs.launchpad.net/bugs/2095600
Title:
squid: autopkgtest failure with Python 3.13
Status in python3-
** Tags added: server-triage-discuss
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python3-defaults in
Ubuntu.
https://bugs.launchpad.net/bugs/2095584
Title:
open-iscsi: ubuntu-only test needs update for Python 3.13
Stat
Canonical produced cloud-images, by default, do not boot with an initrd,
and this is true on Azure as well. the hang occurs late in the startup,
post-cloud-init configuring networking. there are also a bunch of kernel
workers blocked for > 120 seconds, which points to something other than
this pack
Public bug reported:
Profile cache files in /etc/apparmor/earlypolicy/ should be loaded by
systemd during early boot to enable full system confinement. Systemd
should load the cache and try to enter confinement as documented in
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd
Howe
Public bug reported:
$ sudo apt update
Hit:1 http://ddebs.ubuntu.com noble InRelease
...
Fetched 48.8 kB in 2s (26.5 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
7 packages can be upgraded. Run 'apt list --upgradable' to see them.
$ sudo a
There are three approaches:
1. Users will be able to use a GUI notification/pop-up to do this. A
version of this is currently available in 24.10, it has been revised and
a new iteration will soon land in 25.04, the plan is to SRU this back to
24.04 (23.10 is already out of support).
A demo vide
On 11/16/24 06:42, Sam wrote:
> I was wondering about the threats being mitigated by disabling
> unprivileged userns like this. After some searching, I was able to find
> this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user-
> namespace-restrictions-via-apparmor-in-ubuntu-23-10/376
On 12/14/24 01:29, hifron wrote:
> Electron apps could be made without sandbox usage - this could be setup
> as compile options or electron settings, but it is not so good idea...
> maybe temporarily as in between maybe, maybe not...
>
> but todays there is reality that prompting-client could be i
i am not totally sure but i think it is related to linux modules or
bluez
** Package changed: ubuntu => bluez (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/2089765
conditionally dependent rule, such
that when a specific file is allowed the matching pattern is
automatically allowed.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee
)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Noble)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Also affects: linux (Ubuntu)
Importance
If you want you can test the attached profile. It will allow bwrap to work in
most situations. There are a few places Where it will still cause failures
1. if the child that bwrao launches requires privilege in the unprivileged user
namespace.
2. if the child profile has issues due to no-new-priv
I had this happen to me as well as the original poster. I also disabled
socket authentication using the steps from the thread attached by the
original poster to get access to the server again via SSH. Here is the
unattended-upgrades log:
Log started: 2024-11-09 06:52:08
Preconfiguring packages ..
From the kernlog.txt
I see
1497 lines
1280 lines with AppArmor denials
1278 lines with denials to snap profiles
939 lines with denials to /dev/char
937 lines with denials to /dev/char/195
I don't have enough info to positively say this is the nvidia graphics
card, but from other bits of info th
@xmedeko The handling of spaces has nothing to do with the user
namespace restriction that this bug, and the upstream git hub issue are
tracking.
can you attach any additional information. kernel logs etc.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded pack
This doesn't seem consistent, but it might be a problem with just some
flatpak and/or snap and/or deb packages. (This comes from a similar bug
2041008)
- gedit (the old Gnome editor) as flatpak lacks Guillemets
- gedit (the old Gnome editor) as deb has Guillemets
- Text Editor (the new Gnome edit
As the table in [Wikipedia: Quotation
mark](https://en.wikipedia.org/wiki/Quotation_mark) shows, there are a
lot of languages that use Guillemets, and thus could have this annoying
feature (or bug). I have changed the title.
Nice catch that it still works under LibreOffice! I don't use those apps
** Summary changed:
- Missing characters on Norwegian keyboard under Wayland
+ Missing characters on keyboard under Wayland
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wayland in Ubuntu.
https://bugs.launchpad.net/bugs/20
@Andrew: Simon is correct. This update deliberately had an unusual roll-
out where it went to updates first so that it could be phased, and we
could roll back if the phasing showed a problem.
The security pocket was not updated specifically to provide a users a
way to easily revert the update.
As
Public bug reported:
Hello,
I've tried Ubuntu 22.04 and now 24.04. Unfortunately the 5.1 sound can
be chosen, but does not work.
I've also used pavucontrol and tried other solutions to fix it. Issue
remains the same. Even the test only gives an audio output for the two
audio channels (left/right
This SRU should land soon. It is up to the release team to decide when
it will be released. There are a couple reason this is baking longer (28
days) than the minimum 7 days. In -proposed is a previous iteration
caused a regression and had to be reverted. The 24.04.1 release happened
recently and t
adding cloud-images. if multiple artifacts are generated, the CPC
pipeline will need to ensure that we download and transport all the
livefs-build artifacts.
** Also affects: cloud-images
Importance: Undecided
Status: New
--
You received this bug notification because you are a member o
*** This bug is a duplicate of bug 2064849 ***
https://bugs.launchpad.net/bugs/2064849
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
pack
*** This bug is a duplicate of bug 1795649 ***
https://bugs.launchpad.net/bugs/1795649
@Mingun: I have replied in
https://bugs.launchpad.net/evince/+bug/1795649
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
This is fixed in 4.0.2 and should be part of the next SRU
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2
Disabling the user namespace restriction is certainly one possible
direction, and would be the easiest for Noble.
The other possible route is using aa-notify, which now has the ability
to produce a prompt for the user. An example gif can be seen at
https://gitlab.com/-/project/4484878/uploads/ea5f
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
peer=unconfined in most cases is not meant to be any. It is just that
the policy could not distinguish between the different unconfined
processes.
Confined processes were still being blocked by the peer=unconfined rule.
--
You received this bug notification because you are a member of Ubuntu
Tou
So I have some questions about the snap run under the wpa_client case.
Is this trace repeatable? This one is odd to me in a couple of ways like
we are getting a timeout without every doing a select/poll/... so either
it is somehow missing from the trace or its being done by interrupt.
The trace s
@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.
Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The
@richard-purdie-1:
I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.
Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the use
blech, sorry, misclicks trying to get things added properly
marking as affects cloud-images as producers of the lxd images.
** Also affects: systemd
Importance: Undecided
Status: New
** No longer affects: systemd
** Also affects: cloud-images
Importance: Undecided
Status: Ne
@u-dal:
thankyou, though I have to say I am at a loss as to why the snap version
of thunderbird is trying to access
```
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock
```
what kind of configuration have you done? I s
So my supposition on the overlay looks to be incorrect. Would you being
willing to attach your full mount information?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363
For the thunderbird issue I have created
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
App
@u-dal:
can you attach the overlay mount information.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running" bu
** Attachment added: "dmesg denial output"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773408/+files/comment-106.txt
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
http
Public bug reported:
Moving this here from
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844
snap policy on an overlay system is preventing thunderbird from running.
This is related to the snapcraft form report
https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
bu
** Attachment added: "dmesg denial output"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773409/+files/comment-106.txt
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
http
@u-dal:
the problem with firefox (it has a snap profile and is allowed access to
user namespaces) is different than with chrome (no profile loaded), but
still might be apparmor related. Can you look in dmesg for apparmor
denials
```
sudo dmesg | grep DENIED
```
--
You received this bug notifi
@u-dal:
are you running in a live cd environment? Something odd is happening on your
system, with some profiles loaded and systemctl reporting
ConditionPathExists=!/rofs/etc/apparmor.d
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subsc
@u-dal:
This sounds like the apparmor policy is not being loaded can you please
provide the output of
```
sudo aa-status
```
and
```
sudo systemctl status apparmor
```
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparm
> To clarify, this is not something that can be solved upstream in
apparmor, and a profile can't be accepted due to the nature of the path
location?
correct, if it is a unprivileged user writable location it can't be
fixed entirely upstream. It is possible for us to ship a profile that is
disabled
running privileged applications out of home is dirty. But it is the
situation we are in with user namespaces and app images as well. Ubuntu
will not ship a profile for a privileged executable in the users home or
a writable location of an unprivileged user. As this can be leveraged to
by-pass the r
Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the
behavior of unprivileged user namespace mediation.
With the unprivileged_userns profile loaded, when a user namespace is
created by an unprivileged unconfined application the task will be
transitioned into the unprivileged_userns pr
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues,
1.19.16 installs fine and runs, but in a degraded sandbox mode. So
adding a profile for it would be beneficial
The appimage version of Belena Etcher unfortunately fails to run. We can not
provide a default profile for the ap
The Wike fix is coming in the next SRU.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many application
1 - 100 of 1070 matches
Mail list logo
