This bug is fixed by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1345
** Changed in: apparmor
Assignee: (unassigned) => Maxime Bélair (mbelair)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor
dback.
```
#--
#Copyright (C) 2025 Canonical Ltd.
#
#Author: Maxime Bélair
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of version 2 of the GNU General Public
#License published by the Free Software Found
Indeed, a profile for linux-boot-prober is also needed. Find it below.
Again, if you face any issue with these two profiles don't hesitate to
give feedback.
```
#--
# Copyright (C) 2025 Canonical Ltd.
#
# Author: Maxime B
Public bug reported:
On Ubuntu Plucky, apparmor utils tools such as aa-notify, aa-logprof,
aa-cleanprof cannot parse fusermount3 profile.
$ aa-notify -p
skipping unparseable profile /etc/apparmor.d/fusermount3 (Can't parse
mount rule mount fstype=fuse options=(nosuid,nodev,rw) revokefs-fuse ->
/
** Tags removed: verification-needed-noble-linux
** Tags added: verification-done-noble-linux
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor uncon
Verification completed on noble kernel 6.8.0-56.58:
$ lxc launch ubuntu:24.04 test -c security.nesting=true
Launching test
$ lxc exec test bash
root@test:~# uname -a
Linux test 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28
UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
root@
The sanitized_helper profile is designed to be as generic as possible to
make it work with most binaries when a more restrictive profile is
unavailable.
As you pointed out, this approach raises several concerns:
- The security level of this profile is only slightly above unconfined, which
can u
Verification completed on oracular kernel linux-intel/6.11.0-1008.8
# lxc launch ubuntu:24.10 test -c security.nesting=true
Launching test
# lxc exec test bash
Linux test 6.11.0-1008-intel #8 SMP PREEMPT_DYNAMIC Wed Mar 19 16:31:19 CET
2025 x86_64 x86_64 x86_64 GNU/Linux
root@test:~# apt update;
Thank you for reporting this bug.
Indeed, we must give access to `/sys/devices/LNXSYSTM:*/LNXSYBUS:*/**`
to lsblk.
This should be fixed upstream by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1584
--
You received this bug notification because you are a member of Ubuntu
Touch seeded pa
Verification completed on oracular linux-intel/6.11.0-1008.8
user@sec-oracular-amd64:~$ uname -a
Linux sec-oracular-amd64 6.11.0-1008-intel #8 SMP PREEMPT_DYNAMIC Wed Mar 19
16:31:19 CET 2025 x86_64 x86_64 x86_64 GNU/Linux
user@sec-oracular-amd64:~$ journalctl -b | grep systemd | grep -i apparmo
Verified that the patch was applied to branch linux-nvidia-
tegra/6.8.0-1004.4
** Tags removed: verification-needed-noble-linux-nvidia-tegra
** Tags added: verification-done-noble-linux-nvidia-tegra
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, w
The patch has been added today in the upstream repository and is
therefore not yet present in the current plucky release. Until the next
release, you can modify /etc/apparmor.d/lsblk like below
Replace `@{sys}/devices/LNXSYSTM:*/LNXSYBUS:*/** r,` by
`@{sys}/devices/**/host@{int}/** r,`
After relo
This issue should be fixed upstream by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1606.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2092232
Title:
not able
Verified that the patch was applied to branch linux-nvidia-
tegra/6.8.0-1004.4
** Tags removed: verification-needed-noble-linux-nvidia-tegra
** Tags added: verification-done-noble-linux-nvidia-tegra
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, w
This issue is fixed by 1f33fc9b29c174698fdf0116a4a9f50680ec4fdb, however
it is not included in the 4.0 branch used by noble. Oracular and Plucky
are not affected by this bug.
To fix that locally, you can either:
- Replace `mount "" -> "/tmp/",` by `mount -> "/tmp/",` (and similarly for
other em
15 matches
Mail list logo
