** Patch added: "Patch of commit c86c87e8868c72e5ab2084b5bf783cd5ca800a9b
downloaded from GitLab"
https://bugs.launchpad.net/apparmor/+bug/2083435/+attachment/5823945/+files/c86c87e8868c72e5ab2084b5bf783cd5ca800a9b.patch
** Description changed:
Commit 3c825eb001d33bb6f2480c4f78df03aee4c403
Gitlab MR has been merged, with commit
c86c87e8868c72e5ab2084b5bf783cd5ca800a9b fixing the ABI break. Patch is
attached.
** Description changed:
Commit 3c825eb001d33bb6f2480c4f78df03aee4c40396 in the Gitlab upstream
adds a field called `execpath` to the `aa_log_record` struct. This field
wa
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ryan Lee (rlee287)
** Changed in: apparmor (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
** Tags added: oracular
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2083435
Title:
AppArmor 4.1.0-beta1 contains an ABI break for aa_log_record
Status in AppArmor:
While we're at it, John Johansen also decided to include this patch,
which fixes a critical bug in which the rule priority directives could
destroy permissions for some classes.
** Patch added: "Patch for commit 204c0c5a3a34ac2eb47b863aae20bace48e0ad3c
downloaded from Gitlab"
https://bugs.lau
After rechecking
https://git.launchpad.net/ubuntu/+source/apparmor/tree/debian/patches/ubuntu
Alex Murray found that this second patch in comment #4 was already
applied in the last upload of the apparmor package, so we don't have to
apply the patch again.
--
You received this bug notification bec
As noted in the original Debian bug, this issue is tracked upstream at
https://gitlab.com/apparmor/apparmor/-/issues/447.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #447
https://gitlab.com/apparmor/apparmor/-/issue
Public bug reported:
Sometimes, when booting into a Plucky VM (provisioned via virt-manager),
the login screen flickers constantly, rendering the GUI unusable.
Occasionally, the flickering pauses long enough for me to type in the
first few characters of my password, before the flickering starts ag
Seems like the new wpa_supplicant protocol will need rules allowing read
access to /sys/devices/pci*:*/*:*:*.*/ieee80211/phy*/** and to allow
dgram socket creation, but there may be other accesses we might have
missed that would be needed to unbreak the profile. For now, we'll
proceed by disabling
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ryan Lee (rlee287)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
This breakage is due to the latest AppArmor packaging enabling a
unshare-userns-restrict profile by default. In most cases, this allows
more usage of unshare than before (while limiting the attack surface
exposed by capabilities in unprivileged user namespaces), but sbuild is
one of the cases where
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2098906
Title:
apparmor breaks sbuild with unsha
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2098838
Title:
apparmor appears to deny wpasuppl
We'll be packaging up os-prober profiles in the main AppArmor package so
that they're installed by default and so that we can update them more
easily if necessary.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ub
Does the imfile module still work correctly despite the denial logs, or
is it unable to perform monitoring as expected?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2101180
** Changed in: apparmor (Ubuntu)
Status: New => Fix Committed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ryan Lee (rlee287)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Committed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ryan Lee (rlee287)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2100295
Title:
Apparmor settings for fusermount3 break fla
For the record: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476184
has a rationale for why os-prober introduced mount namespaces in the
first place. If we remove the unsharing of the mount namespace, can we
also make sure that os-prober won't fall over if its unmount calls fail?
** Bug watch
Public bug reported:
The openvpn profile shipped in the AppArmor package in Plucky
(4.1.0~beta5-0ubuntu6 as of time of writing) does not allow access to
the ~/.cert/nm-openvpn, which is needed to allow OpenVPN to use
certificate files imported by NetworkManager. This was reported by
"@zorn-v" upst
** Changed in: apparmor
Status: New => Fix Released
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
** Changed in: apparmor (Ubuntu Oracular)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubunt
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2101869
Title:
apparmor utils tools cannot parse fusermoun
Is that the only AppArmor log message being generated, or are there
more?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2102033
Title:
remmina blocked by apparmor in Plu
Also, I see that you added remmina to LP: #2046844, but the log that you
pasted into the bug report above does not have anything to do with user
namespaces.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
h
** Changed in: apparmor (Ubuntu)
Status: New => Fix Committed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ryan Lee (rlee287)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
Switching this to "Fix Released" now that the 0ubuntu5 release is out
that disables the profile - feel free to switch back if you're still
encountering issues even on that release.
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification bec
Hi Heinrich,
Could you also confirm how you constructed the above AppArmor profile
for wpa_supplicant? Did you create it based on the broken wpa_supplicant
profile shipped in the earlier AppArmor package, or did you create it
some other way?
--
You received this bug notification because you are
The broken profile located in /etc/apparmor.d/wpa_supplicant should have
been removed by the upgrade to 4.1.0~beta5-0ubuntu5. Was it still there
on your system after the upgrade?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
*** This bug is a duplicate of bug 2101909 ***
https://bugs.launchpad.net/bugs/2101909
** This bug has been marked a duplicate of bug 2101909
AppArmor OpenVPN profile blocks access to NetworkManager-OpenVPN imported
certs
--
You received this bug notification because you are a member of
After a discussion with Alex Murray and John Johansen, we decided on the
following OpenVPN policy adjustments:
- allowing writes to files in the /etc/openvpn, and not just reads
- allowing reads to most of the home directories
- allowing writes to most of the home directories, with an owner restri
** Tags added: sec-5988
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2103524
Title:
lsblk apparmor profile denies block device lookup on Azure
Status in apparmor packa
Also found by LP: #2102680. Fixes are in Plucky but will need to be
backported to Noble and Oracular
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2105840
Title:
apparmo
** Summary changed:
- not able to deploy Plucky Puffin
+ unable to deploy Plucky Puffin due to AppArmor lsblk denials
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2092232
Public bug reported:
The default configuration of aa-notify does not have any filtering on
the notifications that it pops up, resulting in notifications that
suggest adding capabilities to unprivileged_userns, circumventing and
breaking the AppArmor userns restrictions. Since Plucky is very close
cided
Assignee: Ryan Lee (rlee287)
Status: New
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ryan Lee (rlee287)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.
The profile fix will be added as a patch to the version packaged in
Plucky, and should be uploaded into the queue by my EOD tomorrow.
** Tags added: sec-6054
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => Invalid
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages
Public bug reported:
As reported in https://gitlab.com/apparmor/apparmor/-/issues/493, the
child profile component of a profile name is not handled correctly by
aa-enforce, resulting in it being stripped.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Assignee: Ryan Lee (rlee287
Public bug reported:
As reported by https://gitlab.com/apparmor/apparmor/-/issues/302,
execution log ignore and inherit shared the same hotkey (i) in aa-
genprof and aa-logprof, so there is no way to ignore the execution.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: N
AIL
==
FAIL: test_sock_dgram (__main__.ApparmorUnixDomainConnect.test_sock_dgram)
Test mediation of file based SOCK_DGRAM connect
--
Traceback (most recent call last):
File "/home/ryan-lee/qrt-test-
The corresponding umount rule also needs to be fixed, but otherwise the
diff LGTM
** Tags added: sec-6014
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ryan Lee (rlee287)
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
--
You received this bug notifi
Both paths involved should be in the latest lsusb profile - can you
double check the AppArmor package version you have installed and also
include the contents of your /etc/apparmor.d/lsusb?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is su
Can you please share 1) the version of the AppArmor package you now have
installed, 2) the contents of /etc/apparmor.d/remmina, and 3) the
AppArmor denial log from the syslog (which should have something like
"dbus-daemon[3722]: apparmor="DENIED""?
--
You received this bug notification because yo
** Tags added: sec-6112
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2106311
Title:
File picker does not work in browsers in Ubuntu 25.04 beta for SSSD
users
Status
Updating statuses (again) to reflect that there should no longer be an
active wpa_supplicant profile on Plucky, and to request that people
still running into issues attach the contents of their
/etc/apparmor.d/wpa_supplicant, which should no longer exist.
** Changed in: wpa (Ubuntu)
Status:
This affects me as well. Seemingly with each type of bluetooth device
I've connected. Sony SRS-X11 bluetooth speaker, my JBL Bluetooth speaker
(not sure on the model), and my SkullCandy Hesh 2 Wireless Headphones.
Restarting the devices multiple times appears to randomly fix it. Then I
just make s
46 matches
Mail list logo
