** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => In Progress
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (
Public bug reported:
When snapd crashes or restarts it closes its connection to the kernel
and the listener state, and all existing notifications are lost.
This is a problem for snapd as it means prompt information is lost,
causing failures for the user, and a need to re-prompt the user. The
user
focal apparmor userspace.
The partial mqueue mediation in Focal's kernel has caused some issues,
and the full patchset including the fix for this may need to be SRUed
kernel side.
** Changed in: apparmor
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: apparmor
^^^
AssertionError: 1 != 0 : Got exit code 0, expected 1
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: apparmor (Ubuntu Plucky)
Imp
This has been traced to the compatibility patches in the kernel, and
will need a kernel fix.
** Changed in: linux (Ubuntu Plucky)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
The plan is to attempt another SRU bwrap-userns-restrict along with a
few other profiles that are needed. The previous attempt was reverted,
there ave been several revisions, and we are getting ready to try it
again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
The sanitized_helper is an escape hatch, and is only slightly better
than using ux directly within the profile. It exists because Ubuntu
doesn't carry a complete policy yet (a lot of the system is unconfined),
and because environment variable sanitization either breaks the child
application being p
So I think its not unreasonable to add
/var/ r,
/var/log/ r,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101180
Title:
Multiple DENIED apparmor messages when using rsyslog with the imfile
modu
@paride: RE: aa-notify
aa-notify does not require the desktop-security-center snap. The
desktop-security-center snap is required for permissions prompting which
is a different feature, that is only available to snaps atm*.
aa-notify is after the fact updating of the profile similar to using aa-
l
also
deny / r,
to silence the denial there seems appropriate
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101180
Title:
Multiple DENIED apparmor messages when using rsyslog with the imfile
mo
** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100745
Title:
Fix apparmor tools parsing failure caused by lp2100
** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100744
Title:
Fix parse failure that breaks aa-tools
To
Public bug reported:
[Impact]
If mptcp endpoints are configured on a host using an address that is
external to the host, then the kernel will create an implicit endpoint
with the host's local address when mptcp receives its first flow. If
multiple packets for these local interfaces arrive in par
atm It looks that way, there certainly should be some though
comment #4's
@{HOME}/.cert/nm-openvpn/* r,
seems reasonable. We will have to look into others
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
@aleasto, no they aren't desktop applications. That doesn't mean access
to keys in a users directory can't be routed to the affected user as a
permission request (at least in a desktop environment).
Nor does it mean that the gui interface for network manager, can't act
as at a privilege layer for
I have a patch for this accepted upstream that I'll send to the Ubuntu
kernel team in short order. This has been merged to Linus's tree but
has yet to be picked up by Stable. It's tagged to go there, it just
hasn't been picked up by the robots yet. It affects all releases from
5.17 onward, which
Patches sent to kernel team's list:
https://lists.ubuntu.com/archives/kernel-team/2025-March/157856.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101120
Title:
mptcp BUG 'scheduling while ato
the denials I am seeing in the grub.cfg show linux-boot-probe is now the
failing command. Like os-prober, linux-boot-prober is using unshare to
create a user namespace and getting transitioned into the
unprivileged_unshare profile stack.
--
You received this bug notification because you are a mem
Right, once the reason for the use of the mount namespace was understood
it was clear that it is needed. The current proposed fix is to not
disable mount namespaces but create a more limited proper profile. This
is now being worked on and will hopefully be ready soon.
--
You received this bug not
So the problem with Alex's fix is that it makes a default allow profile
available on the default install. Which is a security hole unless the
apparmor_restrict_unprivileged_unconfined restriction is enabled, by
default.
We tolerate the sbuild profile because it is not installed by default,
and it
The fix for the parse bug, triggered by the fix for the lp2100295 is tracked by
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2100745
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100744
Ti
Public bug reported:
The fix for lp2100295 caused the python based aa-* tools to crash on any
and all policy due to a parsing error.
This bug tracks the fix for the parsing bug in the aa-* tools that
caused the aa-tools to crash. Which is tracked in upstream MR
https://gitlab.com/apparmor/apparmo
Public bug reported:
The fix for https://bugs.launchpad.net/bugs/2100295 resulted in mount
rules in fusermount3 that caused all python aa-* tools to crash because
parsing of the new fusermount3 profile rules failed.
The this blocked merge of the fix for the fusermount3 profile in upstream
https:/
Currently there isn't a good way to set the flags on a profile without
editing the local copy. There is an overlay mechanism coming, but it has
not landed yet. There is also another mechanism for dealing with
disconnected object coming. But until these extensions land there is a
way to do local pro
@xypron:
policy can be shipped as part of the package, or part of the system
policy. Atm unless there is a good reason, or an active package
maintainer who wants to maintain the policy, profiles are being shipped
as part of system policy, in the apparmor package.
--
You received this bug notific
So there is a tension here between users and security. There is no
perfect solution. Allowing openvpn full access to all the users files
has security implications, denying access has usability implications.
As unsatisfying as it is we are working towards a long term solution,
but are not there yet
temporary fix
sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns
or to make it persist after reboot
sudo aa-disable /etc/apparmor.d/unprivileged_userns
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.n
The first denial I am seeing is for netlink. So
network (create) netlink raw,
I am assuming once it is allowed creation of the netlink socket their
will be addition permissions needed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu
In my testing this does work with the bwrap profile that is in the beta
and will land soon.
You can try it yourself by downloading
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/bwrap-
userns-restrict?ref_type=heads
and then running the command
$ apparmor_pa
There will be a new bwrap profile landing in plucky soon that should
hopefully fix most cases. The use case it doesn't fix is the exe being
launched by bwrap requiring capabilities in the unprivileged user
namespace.
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
I've re-run the tests against the proposed kernel and no longer see
these warnings. Thanks for taking the patches to fix this!
** Tags removed: verification-needed-jammy-linux
** Tags added: verification-done-jammy-linux
--
You received this bug notification because you are a member of Ubuntu
B
Public bug reported:
Profile cache files in /etc/apparmor/earlypolicy/ should be loaded by
systemd during early boot to enable full system confinement. Systemd
should load the cache and try to enter confinement as documented in
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd
Howe
Hi Matthew,
I appreciate the update and your persistence in prodding these stubborn tests
along. Is it okay to release the Noble build of this package ahead of the
Oracular one?
Thanks again,
-K
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
Hi Matthew,
Thanks for you help with getting this fixed. Please let me know if there's
anything else I can do to assist.
Thanks,
-K
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2090972
Title:
/
There are three approaches:
1. Users will be able to use a GUI notification/pop-up to do this. A
version of this is currently available in 24.10, it has been revised and
a new iteration will soon land in 25.04, the plan is to SRU this back to
24.04 (23.10 is already out of support).
A demo vide
I didn't take an exhaustive look at the reported test failures, but the
ones I did look at above appear to be related to the test infrastructure
not starting up. Can we give those another kick to see if a subsequent
run does any better? Thanks.
--
You received this bug notification because you
Just wanted to follow-up to report that I've run the reproducer on Noble
and Oracular since the 17th and while I did reproduce the bug on both
releases with the old version of the package, I did not see any
occurrences with the new versions of the packages. If there are no
objections, I'll mark th
Hi Matthew and Timo,
Thanks for getting the Noble and Oracular proposed packages posted so promptly.
I'll go ahead and kick off test runs on these this morning and can follow up
by Friday morning (Pacific Time) about whether they have passed. If you don't
think that's long enough, I can let th
Hi Matthew,
I've been running the tests on the patched version of Plucky since 12/10 and
have not observed a recurrence of the bug. In accordance with our previous
discussion, I'm going to mark this as plucky-verification-done. (Assuming
that's the correct tag). Is this sufficient to unblock
Ah, there's no verification-done-plucky tag, but if there were, I'd use
it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2090972
Title:
/boot intermittently fails to mount on boot
To manage notifi
On 11/16/24 06:42, Sam wrote:
> I was wondering about the threats being mitigated by disabling
> unprivileged userns like this. After some searching, I was able to find
> this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user-
> namespace-restrictions-via-apparmor-in-ubuntu-23-10/376
On 12/14/24 01:29, hifron wrote:
> Electron apps could be made without sandbox usage - this could be setup
> as compile options or electron settings, but it is not so good idea...
> maybe temporarily as in between maybe, maybe not...
>
> but todays there is reality that prompting-client could be i
Hi Matthew,
A quick update from me on the testing. It took a couple of days to find a
recipe that reproduces the problem on Plucky, but I now have a test that's
reproduced the issue 4 times in the last 2 days. This isn't as frequently as
Noble, where we saw it approx 1:2000 boots in production
Hi Matthew,
I went ahead and put together a plucky cloud image so I can try running the
tests against this. I'll report back with the results.
Conceptually, the test just launches a qemu instance and the greps the
logs at an interval to determine if it's either booted or hit the bug.
If it's boo
Public bug reported:
Starting on Noble, we see /boot fail to mount in approximately one out
of every two thousand boots. The error looks like this:
Found device dev-disk-by\x2dlabel-BOOT.device - QEMU NVMe Ctrl BOOT.
Starting systemd-fsck@dev-disk-by… Check on /dev/disk/by-label/BOOT...
conditionally dependent rule, such
that when a specific file is allowed the matching pattern is
automatically allowed.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee
)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Noble)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Also affects: linux (Ubuntu)
Importance
If you want you can test the attached profile. It will allow bwrap to work in
most situations. There are a few places Where it will still cause failures
1. if the child that bwrao launches requires privilege in the unprivileged user
namespace.
2. if the child profile has issues due to no-new-priv
Patches to kernel team:
https://lists.ubuntu.com/archives/kernel-team/2024-November/155489.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2089373
Title:
WARN in trc_wait_for_one_reader about fa
This specifically affects Jammy and the 5.15 series. I have the
necessary patches prepared and will e-mail those to the kernel team's
mailing list.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2089373
Public bug reported:
[Impact]
When ending bpf tracing, 5.15 kernels now report a warning in
trc_wait_for_one_reader() on platforms that support hot-plugging CPUs,
but that do not have all of their hotplug slots populated. In this
submitter's environment, it reproduces on Xen EC2 instances, but n
The ability to remove the snap without any dependency check/warning is
indeed worrying. The apparmor STATUS message likely not. The
apparmor=STATUS messages are most likely about profile loads and
replacements. In this case the profile="unconfined" means the task doing
the profile load is unconfine
From the kernlog.txt
I see
1497 lines
1280 lines with AppArmor denials
1278 lines with denials to snap profiles
939 lines with denials to /dev/char
937 lines with denials to /dev/char/195
I don't have enough info to positively say this is the nvidia graphics
card, but from other bits of info th
@xmedeko The handling of spaces has nothing to do with the user
namespace restriction that this bug, and the upstream git hub issue are
tracking.
can you attach any additional information. kernel logs etc.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is su
Thanks Matthew and Andreas! Very much appreciate getting the fix
released for Noble, Jammy, and Focal.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2036467
Title:
Resizing cloud-images occasionally
The bwrap profile was reverted on Oracular as well (because it breaks
flatpak), and I did a quick test to verify the thumbnailer does not work
on Oracular budgie. Please let me know if there is a case where this is
working on Oracular.
There is a revised version of the bwrap and flatpak profiles i
@Andrew: Simon is correct. This update deliberately had an unusual roll-
out where it went to updates first so that it could be phased, and we
could roll back if the phasing showed a problem.
The security pocket was not updated specifically to provide a users a
way to easily revert the update.
As
This SRU should land soon. It is up to the release team to decide when
it will be released. There are a couple reason this is baking longer (28
days) than the minimum 7 days. In -proposed is a previous iteration
caused a regression and had to be reverted. The 24.04.1 release happened
recently and t
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
package in /usr/share/apparmor/extra-profiles/bwrap-userns-restrict
it is not enabled by defaul
*** This bug is a duplicate of bug 2064849 ***
https://bugs.launchpad.net/bugs/2064849
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
pack
@Mingun: in
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1969896 you
reported this is still affecting Ubuntu 24.04.1
Can you provide log entries with the denials you are encountering?
sudo dmesg | grep DENIED
Also you reported
$ LANG=C sudo apparmor_parser -R /etc/apparmor.d/usr.b
*** This bug is a duplicate of bug 1795649 ***
https://bugs.launchpad.net/bugs/1795649
@Mingun: I have replied in
https://bugs.launchpad.net/evince/+bug/1795649
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
This is fixed in 4.0.2 and should be part of the next SRU
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2079019
Title:
Unable to en
Disabling the user namespace restriction is certainly one possible
direction, and would be the easiest for Noble.
The other possible route is using aa-notify, which now has the ability
to produce a prompt for the user. An example gif can be seen at
https://gitlab.com/-/project/4484878/uploads/ea5f
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
Looking into it. This appears to be an issue with the parent missing
when trying to create the child in aafs.
** Changed in: linux (Ubuntu Noble)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: ubuntu-realtime
Status: New => Con
Hi,
Thanks for getting the updates released for Jammy and Noble. Is there any plan
to get packages for Focal released as part of the updates cycle? The status
here says the fix is committed. It's where we ran into this issue initially,
which is part of the reason we're still interested in pic
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
peer=unconfined in most cases is not meant to be any. It is just that
the policy could not distinguish between the different unconfined
processes.
Confined processes were still being blocked by the peer=unconfined rule.
--
You received this bug notification because you are a member of Ubuntu
Bug
So I have some questions about the snap run under the wpa_client case.
Is this trace repeatable? This one is odd to me in a couple of ways like
we are getting a timeout without every doing a select/poll/... so either
it is somehow missing from the trace or its being done by interrupt.
The trace s
@richard-purdie-1:
I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.
Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the use
@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.
Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The
@jamesh:
for the profile please give it a short non-path based name, and option
for local additions
abi ,
include
profile gnome-shell-portal-helper /usr/libexec/gnome-shell-portal-helper
flags=(default_allow) {
userns,
# Site-specific additions and overrides. See local
@Robie: define final. Right now this is for testing. Once testing is
done and if everything looks good then we will revise the version. The
plan was to go with an epoc version similar to
4.0.1really4.0.0-beta3-0ubuntu0.1 (suggestions welcome), and didn't want
to use/burn those until we are sure thi
steam (non-snap) works, interface is brought up and can launch a game
known to trigger pressure vessel and bwrap.
steam snap is broken. The interface is brought up, but the games I have
tried can not launch. The failure however does not appear to be related
to the revert.It is not bwrap related bu
I have run through QRT tests as well, same results as @georgia in #28
In addition I have tested a couple flatpaks, steam (snap, and non-snap)
has NOT been tested yet, but I will have that one soon.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
The regression is caused by
d/p/u/enable-bwrap-profile.patch
the bwrap profile is interacting with flatpak, and snapd. The
d/p/u/enable-bwrap-profile.patch will need to be dropped, when the 4.0.1
SRU is redone.
The bwrap, flatpak and snapd will need updates to enable bwrap to be
used by regular
@ross:
atm, correct unshare does Not work as it does not have a profile enabled
by default. However this will be partially fixed via SRU. The SRU for
apparmor 4.0.1 includes an example profile for unshare*, that will allow
unshare to create user namespaces and even have capabilities within the
use
There 3 profiles involved here (probably should be 4), with a call
dependency chain of
flatpak -> bwrap -> bwrap_unpriv
the flatpak profile does not show up in the logs but does end up
launching bwrap. The comm is being set by flatpak, and can not be
considered reliable for which executable is
@kanavin:
Bitbake could indeed do that, it will depend on if it is considered
worthwhile to carry said exception code. As I mentioned above both
capabilities and SELinux are working towards limiting of unprivileged
user namespaces, and the solutions needed to handle there restrictions
will be diff
@kanavin:
Thanks, we don't have an issue with bitbake, the issue comes down to
running code out of a user writable location.
1. The location of bitbake will vary by user. Making any profile we
could ship only functional for a subset of bitbak users. For the others
it would require a privileged ac
@milev-philip:
containers are a difficult case. Unfortunately containers share the same
kernel as the host. An application running in the container (docker
image) can use unprivileged user namespaces to compromise not just the
container but the host as well.
There is the ability to turn the restr
It does seem that way. The problem is the design of unprivileged user
namespaces, it gives unprivileged applications access to a lot of kernel
surface that they usually don't have access to. This has been used to
elevate kernel bugs from root exploitable to being exploitable by
unprivileged users.
*** This bug is a duplicate of bug 2056555 ***
https://bugs.launchpad.net/bugs/2056555
Yes, its best to mark this as a duplicate.
** This bug has been marked a duplicate of bug 2056555
Allow bitbake to create user namespace
--
You received this bug notification because you are a member o
Thanks for the note, Matthew. I was just getting ready to check back
with you. :)
It would be fantastic if we could get the patches for the backport
sponsored in F, J, M, N.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bug
Test Environment 1: kvm virtual machine, clean 24.04 install, updated,
then proposed enabled.
Test Environment 2: x86 laptop with nvidia graphics, upgraded to 24.04,
updated, then proposed enabled.
Test plan fully executed on both environments.
Notes:
kde, budgie, and kapps: only tested in envi
List of Applications tested for regression
Tellico
Supercollider
steam
rssguard
qutebrowser
qmapshack
plasma-welcome
plasma-desktop
pageedit
opam
notepadqq
marble
loupe
kontact
konqueror
kmail
kgeotag
kdeplasma-addons
kchmviewer
kalgebra
goldendict-webengine
ghostwriter
foliate
geary
firefox snap
A profile for bwrap is in the 4.0.1 SRU
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
A profile for bwrap is in the 4.0.1 SRU
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
A profile for bwrap is in the 4.0.1 SRU
** Changed in: bubblewrap (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespa
On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of
June 27, 24.04.
0. Enabled proposed, updated, upgrade and installed apparmor packages
via
$ sudo apt install apparmor apparmor-profiles apparmor-utils
libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor
python3-libap
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
I will add that while you can manually add the profile as a work around,
the full update that is being SRUed is available in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru
any testing that
Can you please try with the apparmor in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru
Basically from a terminal you need to do
sudo add-apt-repository ppa:apparmor-dev/apparmor-sru
sudo apt update
and then retry Web Apps
4.0.1 is in the SRU process, currently waiting to
> Am I correct in understanding, the Thunderbird snap does not allow
profiles to set paths to locations outside the snap confinement? And if
so, is that something specific to running a live system or is it
something any Lubuntu 24.04 installation is now stymied by?
it is a property of the snap, re
Sigh, that should be Unfortunately snap doesn't currently have ...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running" but not responsive
> I'm sorry, would you mind elaborating? profiles.ini allows
configuration of where each profile stores emails, so what are the
consequences of my doing that? I used it, and the same PATH variable,
prior to 24.04 without problem.
that will direct thunderbird to access your emails stored at the loc
It shouldn't but we do need to make sure it works.
Previously flatpak was getting around the bwrap restriction by using the
flatpak unconfined profile. But the unconfined profile uses pix which
means it will now use the bwrap profile, when calling bwrap.
If this does cause breakage we will need t
1 - 100 of 8480 matches
Mail list logo
