A slightly revised version of this kernel should be showing up in the
Ubuntu unstable kernel builds this week.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2051454
Title:
We have found that allowing the user namespace creation, and then
denying capabilities is in general handled much better by KDE. The the
case of the plasmashell and the browswer widget denying the creation of
the user namespace would cause a crash with a SIGTRAP backtrace, where
allowing the creati
Note: snap now vendors apparmor so reinstalling/removing the system
apparmor package with not affect snapd's use of apparmor.
You can temporarily (for the boot) disable apparmor in the grub command
line by adding apparmor=0 to the kernel parameters.
>From the logs the following adjustments need t
Public bug reported:
When a prompt rule that specifies an exec transition. The transition is
not handled correctly in several cases. Resulting in denials even if the
prompt is allowed.
When prompting is triggered by the prompt flag, the behavior depends if
an exec rule is matched (behavior become
Public bug reported:
Currently the prompting interface does not allow userspace to specify
the execmode to use, even if there is no matching exec rule in policy
(case caused by prompt flag).
Nor does it allow specifying the target profile (needed for certain exec
modes).
It also does not allow o
So the answer is it depends on how they are using unprivileged user
namespaces and how they react to them being denied, not every
application needs to patched separately.
Generally speaking gnome has been better tested than KDE had because
gnome being the Ubuntu default saw a lot more opt in testi
One more addition, the current state of how unconfined deals with
unprivileged user namespaces is a temporary limitation. The afore
mentioned improvement will allow for more customization at the policy
level. The current fixed behavior will be the default.
--
You received this bug notification be
responding to @intrigeri (sorry this got lost some how).
tldr: yes we are basically on the same page.
AppArmor does not fit into the 1400 range formats, every one of our
messages have some custom fields. Some of them could be
reformated/reworked to share more, but we would still need custom
field
Erich,
yes the archive version is based on the ppa, with a couple small fixes
in the packaging. The ppa is going to get updated based the new archive
version + a few more patches.
Do you have some higher priority electron apps that you can point us at.
We will look into the Visual Studo and Eleme
So appimages are interesting. They don't all need a profile. I have run
several that are not using user namespaces, or only need to be able to
create the user namespace and don't need capabilities so the default
unpriviled_userns profile works for them.
It is applications that need privileges with
** Changed in: steam (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation res
Changed apparmor task to invalid as lightdm is broken with apparmor
disabled (apparmor=0). We can change status if apparmor is a problem
after the current lightdm issue is fixed.
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because y
This is part of the alpha4 release in noble
** Changed in: kdeplasma-addons (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs
This is part of the apparmor alpha4 release in noble
** Changed in: plasma-desktop (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.
@scarlet I think it is fair to mark these as Fixed released as they are
part of apparmor-alpha4 that is in noble.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Tit
Captured output of QRT test run on updated noble using Linux
6.8.0-11-generic #11-Ubuntu kernel and 4.0.0~beta2-0ubuntu3
** Attachment added: "Captured output of QRT test run"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+attachment/5753923/+files/qrt.output
--
You re
Public bug reported:
AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from
landing pre feature freeze.
Landing AppArmor 4.0-beta's will enable us to more easily track upstream
bug fixes, and is needed to support network rules in prompting. The
addition of the prompting patch on
** Description changed:
AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from
landing pre feature freeze.
Landing AppArmor 4.0-beta's will enable us to more easily track upstream
bug fixes, and is needed to support network rules in prompting. The
addition of the pro
** Description changed:
AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from
landing pre feature freeze.
Landing AppArmor 4.0-beta's will enable us to more easily track upstream
bug fixes, and is needed to support network rules in prompting. The
addition of the pro
The fix for vscode is currently in apparmor 4.0.0-beta2-0ubuntu3 pending
a Feature Freeze exception. If the feature freeze exception is not
granted then the fix will be moved to a bug patch on the current
apparmor 4.0.0-alpha4
Atm the fix is available via ppa https://launchpad.net/~apparmor-
dev/+
I won't promise we will get to fixing PHPStorm or Jetbrains before
release, but without a bug they certainly won't get fixed, so yes it is
worth filing a bug for them.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor i
This is now moving forward and should show up in proposed soon.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056517
Title:
VS Code profile still broken.
Status in app
@gvarouchas, you need to be more specific. There are a couple interrelated
issues in this bug. What is the exact Denial message you are getting. The will
look something like the denial messages in comment 5. You can find them using
sudo dmesg | grep DENIED
or
journalctl -g apparmor
--
You r
Yes, will do I added both reference you provided to the upstream merge
commit and all fixes/closes references will be going into the changelog.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.l
If you are admin of your system, you can manually replace snap profiles.
But there are some caveats in that snapd doesn't really want this. It
manages its profiles, dynamically regenerates and replaces them etc.
You are correct that the tooling doesn't work here. It expects the
abstractions to be
the rejects here are all from the snap.element-desktop.element-desktop
profile. We will need to dig into that profiles permissions. If its
getting all the right paths correct then I suspect the peer_label match
might be the issue.
--
You received this bug notification because you are a member of
** Changed in: steam (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation
the plasmashell profile is necessary for it to work under unprivileged
user namespace restrictions.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696
Title:
All Snap
@valeryan-24 ModuleNotFoundError: No module named 'imp'" says that your
Gpodder issue is not related to this bug. You are missing a dependency
the 'imp' module. If Gpodder is packaged it will need to add that as
part of its install dependencies.
--
You received this bug notification because you a
It solves several problems, but not all.
With regard to unprivileged user namespace mediation it should fix
- mscode
- nautilis
- devhelp
- element-desktop
- piphany
- evolution
- keybase
- opam
the element-desktop is still known to have some issues, which are on the snapd
side. It need
@pitti: yes this intended. At this stage we are essentially enumerating
the known users of unprivileged user namespaces. We can ship the profile
for you or you are welcome to ship it.
In the future this is going to gradually tighten, some of the
"unconfined" profiles will be developed into real pr
@guyster, @eldmannen+launchpad, @valeryan-24
Firefox dailies now have a work around, by detecting and disabling the
user namespace. The proper fix that should allow firefox to still use
the user namespace for its sandbox will land in Beta3, landing early
next week.
--
You received this bug notif
@eeickmeyer geary should be fixed in Beta3
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applicat
@sudipmuk loupe should be fixed in Beta3
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applicatio
I have tried freecad and unprivileged user namespace restrictions are
not the problem. freecad snap works, freecad ppa does not have a noble
build yet but the mantic build can be made to work.
freecad daily appimage: works
freecad appimage: stable fails with mesa or qt errors depending on how/wher
supercollider will work on current noble. Since it is using QTWebEngine
it has a graceful fallback when capabilities within the user namespace
are denied.
supercollider will have a profile and be fixed in Beta3, so it doesn't
even have to do the fallback.
--
You received this bug notification be
** Changed in: loupe (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: geary (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: firefox (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
--
You received this bug notific
I have tested gnome-packagekit and it never trigger unprivileged user
namespace mediation. Can you please provide more information on how you
triggered it.
** Changed in: gnome-packagekit (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a memb
we will be fixed in Beta3
** Changed in: gnome-packagekit (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/b
Will be fixed in Beta3
** Changed in: goldendict-webengine (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/b
sorry this won't be fixed in Beta3 that note was for goldendict
** Changed in: gnome-packagekit (Ubuntu)
Assignee: John Johansen (jjohansen) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to app
this will be fixed in Beta
** Changed in: kchmviewer (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: rssguard (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: supercollider (Ubuntu)
Assignee: (unassigned) => John
hi @vvaleryan-24,
I have been able to replicate the crash you are seeing but it is not do
to the user namespace restriction. The restrictions logging does not
happen, and I can put it in an unconfined profile and it still doesn't
help. From dmesg I find the following segfault
[79854.520976] gpk-a
@kc2bez:
there are no updated deb packages in the ppa for kiwix.
the kiwix appimage worked for me.
kiwix flatpak worked for me.
I am not sure what you were seeing. But I we are going to need more
information.
** Changed in: kiwix (Ubuntu)
Status: Confirmed => Incomplete
--
You received
@kc2bez: notepadqq should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applica
@kc2bez: pageedit should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applicat
@kc2bez: I have been able to verify that privacybrowser is not working.
However it is not due to the apparmor user namespace restrictions.
I get the following segfault out of dmesg
[ 1591.466016] privacybrowser[7743]: segfault at 8 ip 70bb4dd11ccc sp
7ffd5c6587e0 error 4 in libQt5Core.so.
@kc2bez: qmapshack should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applica
@arraybolt3: qutebrowser should be fixed in beta3
** Changed in: qutebrowser (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: qmapshack (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: notepadqq (Ubuntu)
Assignee: (unas
@ajg-charlbury: yes, firefox we are well aware of the problem, the
firefox profile has been tweaked for beta3 (landing this week) so that
it should work with the new deb.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmo
@ajg-charlbury: no apparmor beta3 has not landed in proposed yet, we are
working on the upload now. firefox separately have added a bug fix that
will detect when the user namespace/capabilities are denied and fallback
without crashing but it disables the full sandbox.
the apparmor-beta3 fix should
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2058866
Title:
propo
Do we know if there is a difference in the kernel between the runs?
The 2.0.0.0~0ubuntu3 autopackage run log I was pointed at was on a
Linux 5.4.0-170-generic #188-Ubuntu
Do we know what kernel that 2.0.0-0ubuntu7 is failing on? There was a
change to when security checks were made in on the exe
So what I think is going on from a first pass look at this is that
We are seeing a change in kernel behavior around exec. The 6.8 has a
known change here, that doesn't normally trigger because unconfined is
delegating access into the profile. However in the lxd case, unconfined
can is not delegati
@coeur-noir:
Are you installing firefox to /opt/ as recommended or using it local in
your user account?
as for bwarp, maybe it is known to be problematic. It is allowed to run and to
create a user namespace but it is denied all capabilities within the namespace.
Can you run
sudo dmesg | grep
We have an update of the firefox profile coming that supports the
/opt/firefox/firefox location used as the default install for the
firefox downloaded directly from mozilla.org
If you are running firefox out of your home directory, that will not be
directly supported and you will need to chose to
Public bug reported:
2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400
audit(1711512628.920:155): apparmor="DENIED" operation="bind"
class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix"
sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind"
Fixed by MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1196
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060100
Title:
denials from sshd in noble
Status in
It is in the SRU queue and the current ETA is April 15 to land in the
proposed pocket (archive proposed not security proposed ppa), there is a
caveat that the recent xz backdoor has caused some "fun" on the archive
side and could potentially cause some delays.
--
You received this bug notificatio
@arraybolt3: Answer to your question. bwrap requires capabilities within
the user namespace. unshare is a little more forgiving in that what it
requires depends on the options passed but most of the options also
require capabilities within the user namespace.
The potential solution I mention is co
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined
profile, as that allows for an arbitrary by-pass of the restriction.
There is a potential solution in the works that will allow for bwrap and
unshare to function as long as the child task does not require
permissions but at th
The fix has been merged upstream in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1209
it will be in the next release.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
-
There are vague plans, yes. The time line of it has not been scoped, but
it would be something akin to what happens on macos when you try to run
a downloaded application for the first time and you have to go into
their security config to allow it.
The application will still be "confined" but it ma
More applications will be getting confinement, on an individual level I
don't think it will be everything from debs. In this case its because it
uses unprivileged user namespaces. Which is now being restricted and
treated as a semi-privileged because it gives access to several
privileged kernel int
This is likely a dup of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2061869
Title:
Snaps unable to connect
the kernel team is already rolling kernels with the fix for 2061851 but
it is also building in https://launchpad.net/~apparmor-
dev/+archive/ubuntu/apparmor-devel ppa
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
unfortunately Joplin is only shipped as an appimage for Linux. Which
means we can not ship a profile for it by default that will allow it to
use capabilities within the unprivileged user namespace that the
electron embedded browser is attempting to use.
This means that the user is required to inte
I will note that current snap behavior is by design. Not saying that
they couldn't make this easier but the snap side is functioning the way
it was desiged.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
h
To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent,
Its not just that app images don't have a default path, we can handle
that as well. It is that user namespaces have become a privileged
operation, and the user must take some privileged action to allow
applications to use them.
That can be any of
- moving the application into a well known privileg
The Wike fix is coming in the next SRU.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many application
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues,
1.19.16 installs fine and runs, but in a degraded sandbox mode. So
adding a profile for it would be beneficial
The appimage version of Belena Etcher unfortunately fails to run. We can not
provide a default profile for the ap
@rikka0w0 are you willing to test a kernel patch for this issue?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1784499
Title:
AppArmor treats regular NFS file access as
with in the profile block, eg.
profile redshift {
or something similar, add the following rules
dbus send bus="system" path="/org/freedesktop/DBus"
interface="org.freedesktop.DBus"
member="{GetNameOwner,StartServiceByName,AddMatch}",
dbus send bus="system" path="/org/fr
Ah! The rule
```
audit dbus bus=system,
```
is the problem. It is tagging every dbus match to be audited. You can
drop that rule entirely, and just add dbus allow rules as needed, like
the first 3 rules. Or you could allow all dbus system bus accesses by
dropping the ```audit``` keyword, in whic
Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the
behavior of unprivileged user namespace mediation.
With the unprivileged_userns profile loaded, when a user namespace is
created by an unprivileged unconfined application the task will be
transitioned into the unprivileged_userns pr
running privileged applications out of home is dirty. But it is the
situation we are in with user namespaces and app images as well. Ubuntu
will not ship a profile for a privileged executable in the users home or
a writable location of an unprivileged user. As this can be leveraged to
by-pass the r
> To clarify, this is not something that can be solved upstream in
apparmor, and a profile can't be accepted due to the nature of the path
location?
correct, if it is a unprivileged user writable location it can't be
fixed entirely upstream. It is possible for us to ship a profile that is
disabled
@u-dal:
This sounds like the apparmor policy is not being loaded can you please
provide the output of
```
sudo aa-status
```
and
```
sudo systemctl status apparmor
```
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparm
@u-dal:
are you running in a live cd environment? Something odd is happening on your
system, with some profiles loaded and systemctl reporting
ConditionPathExists=!/rofs/etc/apparmor.d
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subsc
@u-dal:
the problem with firefox (it has a snap profile and is allowed access to
user namespaces) is different than with chrome (no profile loaded), but
still might be apparmor related. Can you look in dmesg for apparmor
denials
```
sudo dmesg | grep DENIED
```
--
You received this bug notifi
Public bug reported:
Moving this here from
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844
snap policy on an overlay system is preventing thunderbird from running.
This is related to the snapcraft form report
https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
bu
** Attachment added: "dmesg denial output"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773409/+files/comment-106.txt
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
http
** Attachment added: "dmesg denial output"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773408/+files/comment-106.txt
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
http
@u-dal:
can you attach the overlay mount information.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running" bu
For the thunderbird issue I have created
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
App
So my supposition on the overlay looks to be incorrect. Would you being
willing to attach your full mount information?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363
@u-dal:
thankyou, though I have to say I am at a loss as to why the snap version
of thunderbird is trying to access
```
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock
```
what kind of configuration have you done? I s
@richard-purdie-1:
I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.
Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the use
@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.
Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The
So I have some questions about the snap run under the wpa_client case.
Is this trace repeatable? This one is odd to me in a couple of ways like
we are getting a timeout without every doing a select/poll/... so either
it is somehow missing from the trace or its being done by interrupt.
The trace s
peer=unconfined in most cases is not meant to be any. It is just that
the policy could not distinguish between the different unconfined
processes.
Confined processes were still being blocked by the peer=unconfined rule.
--
You received this bug notification because you are a member of Ubuntu
Tou
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
Disabling the user namespace restriction is certainly one possible
direction, and would be the easiest for Noble.
The other possible route is using aa-notify, which now has the ability
to produce a prompt for the user. An example gif can be seen at
https://gitlab.com/-/project/4484878/uploads/ea5f
This is fixed in 4.0.2 and should be part of the next SRU
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2
*** This bug is a duplicate of bug 1795649 ***
https://bugs.launchpad.net/bugs/1795649
@Mingun: I have replied in
https://bugs.launchpad.net/evince/+bug/1795649
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
1 - 100 of 484 matches
Mail list logo
