** Also affects: apparmor/3.1
Importance: Undecided
Status: New
** Also affects: apparmor/master
Importance: Undecided
Status: New
** Also affects: apparmor/2.12
Importance: Undecided
Status: New
** Also affects: apparmor/4.0.3
Importance: Undecided
Status
this looks like at a minimum the apparmor profile needs to be updated.
This needs to be done before any other kernel work. Adding an apparmor
task
lsblk trace shows
openat(AT_FDCWD, "/sys/block/sr0/hidden", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission denied)
openat(AT_FDCWD, "/sys/block/sr0/dev
@r-fabbeni
if you have done local edits on the profile file dpkg/apt when they
install a new version will move your locally edited version to .save
when it installs the new version. I would assume the addition of
flags=(complain) was a local addition, possibly done with aa-complain.
as for the aa
Is gnome papers looking for a smart key or similar device, the tpm?
Giving it full access to the /sys/devices/ tree is certainly more than
it needs.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/21061
On 4/3/25 06:52, r.fabb...@gmail.com wrote:
> Installed apparmor-utils package and aa-complain is ok now.
> But i never did editing in apparmor.d files before yesterday, and on 24.04
> lsusb was not complaining.
> After upgrading to 25.04 it started the problem.
> So really strange to have a .save
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => In Progress
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (
Public bug reported:
When snapd crashes or restarts it closes its connection to the kernel
and the listener state, and all existing notifications are lost.
This is a problem for snapd as it means prompt information is lost,
causing failures for the user, and a need to re-prompt the user. The
user
focal apparmor userspace.
The partial mqueue mediation in Focal's kernel has caused some issues,
and the full patchset including the fix for this may need to be SRUed
kernel side.
** Changed in: apparmor
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: apparmor
^^^
AssertionError: 1 != 0 : Got exit code 0, expected 1
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: apparmor (Ubuntu Plucky)
Imp
This has been traced to the compatibility patches in the kernel, and
will need a kernel fix.
** Changed in: linux (Ubuntu Plucky)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
The plan is to attempt another SRU bwrap-userns-restrict along with a
few other profiles that are needed. The previous attempt was reverted,
there ave been several revisions, and we are getting ready to try it
again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
The sanitized_helper is an escape hatch, and is only slightly better
than using ux directly within the profile. It exists because Ubuntu
doesn't carry a complete policy yet (a lot of the system is unconfined),
and because environment variable sanitization either breaks the child
application being p
So I think its not unreasonable to add
/var/ r,
/var/log/ r,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101180
Title:
Multiple DENIED apparmor messages when using rsyslog with the imfile
modu
@paride: RE: aa-notify
aa-notify does not require the desktop-security-center snap. The
desktop-security-center snap is required for permissions prompting which
is a different feature, that is only available to snaps atm*.
aa-notify is after the fact updating of the profile similar to using aa-
l
also
deny / r,
to silence the denial there seems appropriate
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101180
Title:
Multiple DENIED apparmor messages when using rsyslog with the imfile
mo
** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100745
Title:
Fix apparmor tools parsing failure caused by lp2100
** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100744
Title:
Fix parse failure that breaks aa-tools
To
atm It looks that way, there certainly should be some though
comment #4's
@{HOME}/.cert/nm-openvpn/* r,
seems reasonable. We will have to look into others
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
@aleasto, no they aren't desktop applications. That doesn't mean access
to keys in a users directory can't be routed to the affected user as a
permission request (at least in a desktop environment).
Nor does it mean that the gui interface for network manager, can't act
as at a privilege layer for
the denials I am seeing in the grub.cfg show linux-boot-probe is now the
failing command. Like os-prober, linux-boot-prober is using unshare to
create a user namespace and getting transitioned into the
unprivileged_unshare profile stack.
--
You received this bug notification because you are a mem
Right, once the reason for the use of the mount namespace was understood
it was clear that it is needed. The current proposed fix is to not
disable mount namespaces but create a more limited proper profile. This
is now being worked on and will hopefully be ready soon.
--
You received this bug not
So the problem with Alex's fix is that it makes a default allow profile
available on the default install. Which is a security hole unless the
apparmor_restrict_unprivileged_unconfined restriction is enabled, by
default.
We tolerate the sbuild profile because it is not installed by default,
and it
The fix for the parse bug, triggered by the fix for the lp2100295 is tracked by
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2100745
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100744
Ti
Public bug reported:
The fix for lp2100295 caused the python based aa-* tools to crash on any
and all policy due to a parsing error.
This bug tracks the fix for the parsing bug in the aa-* tools that
caused the aa-tools to crash. Which is tracked in upstream MR
https://gitlab.com/apparmor/apparmo
Public bug reported:
The fix for https://bugs.launchpad.net/bugs/2100295 resulted in mount
rules in fusermount3 that caused all python aa-* tools to crash because
parsing of the new fusermount3 profile rules failed.
The this blocked merge of the fix for the fusermount3 profile in upstream
https:/
Currently there isn't a good way to set the flags on a profile without
editing the local copy. There is an overlay mechanism coming, but it has
not landed yet. There is also another mechanism for dealing with
disconnected object coming. But until these extensions land there is a
way to do local pro
@xypron:
policy can be shipped as part of the package, or part of the system
policy. Atm unless there is a good reason, or an active package
maintainer who wants to maintain the policy, profiles are being shipped
as part of system policy, in the apparmor package.
--
You received this bug notific
So there is a tension here between users and security. There is no
perfect solution. Allowing openvpn full access to all the users files
has security implications, denying access has usability implications.
As unsatisfying as it is we are working towards a long term solution,
but are not there yet
temporary fix
sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns
or to make it persist after reboot
sudo aa-disable /etc/apparmor.d/unprivileged_userns
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.n
The first denial I am seeing is for netlink. So
network (create) netlink raw,
I am assuming once it is allowed creation of the netlink socket their
will be addition permissions needed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu
In my testing this does work with the bwrap profile that is in the beta
and will land soon.
You can try it yourself by downloading
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/bwrap-
userns-restrict?ref_type=heads
and then running the command
$ apparmor_pa
There will be a new bwrap profile landing in plucky soon that should
hopefully fix most cases. The use case it doesn't fix is the exe being
launched by bwrap requiring capabilities in the unprivileged user
namespace.
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
Public bug reported:
Profile cache files in /etc/apparmor/earlypolicy/ should be loaded by
systemd during early boot to enable full system confinement. Systemd
should load the cache and try to enter confinement as documented in
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd
Howe
There are three approaches:
1. Users will be able to use a GUI notification/pop-up to do this. A
version of this is currently available in 24.10, it has been revised and
a new iteration will soon land in 25.04, the plan is to SRU this back to
24.04 (23.10 is already out of support).
A demo vide
On 11/16/24 06:42, Sam wrote:
> I was wondering about the threats being mitigated by disabling
> unprivileged userns like this. After some searching, I was able to find
> this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user-
> namespace-restrictions-via-apparmor-in-ubuntu-23-10/376
On 12/14/24 01:29, hifron wrote:
> Electron apps could be made without sandbox usage - this could be setup
> as compile options or electron settings, but it is not so good idea...
> maybe temporarily as in between maybe, maybe not...
>
> but todays there is reality that prompting-client could be i
conditionally dependent rule, such
that when a specific file is allowed the matching pattern is
automatically allowed.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee
)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Noble)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Also affects: linux (Ubuntu)
Importance
If you want you can test the attached profile. It will allow bwrap to work in
most situations. There are a few places Where it will still cause failures
1. if the child that bwrao launches requires privilege in the unprivileged user
namespace.
2. if the child profile has issues due to no-new-priv
The ability to remove the snap without any dependency check/warning is
indeed worrying. The apparmor STATUS message likely not. The
apparmor=STATUS messages are most likely about profile loads and
replacements. In this case the profile="unconfined" means the task doing
the profile load is unconfine
From the kernlog.txt
I see
1497 lines
1280 lines with AppArmor denials
1278 lines with denials to snap profiles
939 lines with denials to /dev/char
937 lines with denials to /dev/char/195
I don't have enough info to positively say this is the nvidia graphics
card, but from other bits of info th
@xmedeko The handling of spaces has nothing to do with the user
namespace restriction that this bug, and the upstream git hub issue are
tracking.
can you attach any additional information. kernel logs etc.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is su
The bwrap profile was reverted on Oracular as well (because it breaks
flatpak), and I did a quick test to verify the thumbnailer does not work
on Oracular budgie. Please let me know if there is a case where this is
working on Oracular.
There is a revised version of the bwrap and flatpak profiles i
@Andrew: Simon is correct. This update deliberately had an unusual roll-
out where it went to updates first so that it could be phased, and we
could roll back if the phasing showed a problem.
The security pocket was not updated specifically to provide a users a
way to easily revert the update.
As
This SRU should land soon. It is up to the release team to decide when
it will be released. There are a couple reason this is baking longer (28
days) than the minimum 7 days. In -proposed is a previous iteration
caused a regression and had to be reverted. The 24.04.1 release happened
recently and t
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
package in /usr/share/apparmor/extra-profiles/bwrap-userns-restrict
it is not enabled by defaul
*** This bug is a duplicate of bug 2064849 ***
https://bugs.launchpad.net/bugs/2064849
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
pack
@Mingun: in
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1969896 you
reported this is still affecting Ubuntu 24.04.1
Can you provide log entries with the denials you are encountering?
sudo dmesg | grep DENIED
Also you reported
$ LANG=C sudo apparmor_parser -R /etc/apparmor.d/usr.b
*** This bug is a duplicate of bug 1795649 ***
https://bugs.launchpad.net/bugs/1795649
@Mingun: I have replied in
https://bugs.launchpad.net/evince/+bug/1795649
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
This is fixed in 4.0.2 and should be part of the next SRU
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2079019
Title:
Unable to en
Disabling the user namespace restriction is certainly one possible
direction, and would be the easiest for Noble.
The other possible route is using aa-notify, which now has the ability
to produce a prompt for the user. An example gif can be seen at
https://gitlab.com/-/project/4484878/uploads/ea5f
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
Looking into it. This appears to be an issue with the parent missing
when trying to create the child in aafs.
** Changed in: linux (Ubuntu Noble)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: ubuntu-realtime
Status: New => Con
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
peer=unconfined in most cases is not meant to be any. It is just that
the policy could not distinguish between the different unconfined
processes.
Confined processes were still being blocked by the peer=unconfined rule.
--
You received this bug notification because you are a member of Ubuntu
Bug
So I have some questions about the snap run under the wpa_client case.
Is this trace repeatable? This one is odd to me in a couple of ways like
we are getting a timeout without every doing a select/poll/... so either
it is somehow missing from the trace or its being done by interrupt.
The trace s
@richard-purdie-1:
I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.
Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the use
@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.
Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The
@jamesh:
for the profile please give it a short non-path based name, and option
for local additions
abi ,
include
profile gnome-shell-portal-helper /usr/libexec/gnome-shell-portal-helper
flags=(default_allow) {
userns,
# Site-specific additions and overrides. See local
@Robie: define final. Right now this is for testing. Once testing is
done and if everything looks good then we will revise the version. The
plan was to go with an epoc version similar to
4.0.1really4.0.0-beta3-0ubuntu0.1 (suggestions welcome), and didn't want
to use/burn those until we are sure thi
steam (non-snap) works, interface is brought up and can launch a game
known to trigger pressure vessel and bwrap.
steam snap is broken. The interface is brought up, but the games I have
tried can not launch. The failure however does not appear to be related
to the revert.It is not bwrap related bu
I have run through QRT tests as well, same results as @georgia in #28
In addition I have tested a couple flatpaks, steam (snap, and non-snap)
has NOT been tested yet, but I will have that one soon.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
The regression is caused by
d/p/u/enable-bwrap-profile.patch
the bwrap profile is interacting with flatpak, and snapd. The
d/p/u/enable-bwrap-profile.patch will need to be dropped, when the 4.0.1
SRU is redone.
The bwrap, flatpak and snapd will need updates to enable bwrap to be
used by regular
@ross:
atm, correct unshare does Not work as it does not have a profile enabled
by default. However this will be partially fixed via SRU. The SRU for
apparmor 4.0.1 includes an example profile for unshare*, that will allow
unshare to create user namespaces and even have capabilities within the
use
There 3 profiles involved here (probably should be 4), with a call
dependency chain of
flatpak -> bwrap -> bwrap_unpriv
the flatpak profile does not show up in the logs but does end up
launching bwrap. The comm is being set by flatpak, and can not be
considered reliable for which executable is
@kanavin:
Bitbake could indeed do that, it will depend on if it is considered
worthwhile to carry said exception code. As I mentioned above both
capabilities and SELinux are working towards limiting of unprivileged
user namespaces, and the solutions needed to handle there restrictions
will be diff
@kanavin:
Thanks, we don't have an issue with bitbake, the issue comes down to
running code out of a user writable location.
1. The location of bitbake will vary by user. Making any profile we
could ship only functional for a subset of bitbak users. For the others
it would require a privileged ac
@milev-philip:
containers are a difficult case. Unfortunately containers share the same
kernel as the host. An application running in the container (docker
image) can use unprivileged user namespaces to compromise not just the
container but the host as well.
There is the ability to turn the restr
It does seem that way. The problem is the design of unprivileged user
namespaces, it gives unprivileged applications access to a lot of kernel
surface that they usually don't have access to. This has been used to
elevate kernel bugs from root exploitable to being exploitable by
unprivileged users.
*** This bug is a duplicate of bug 2056555 ***
https://bugs.launchpad.net/bugs/2056555
Yes, its best to mark this as a duplicate.
** This bug has been marked a duplicate of bug 2056555
Allow bitbake to create user namespace
--
You received this bug notification because you are a member o
Test Environment 1: kvm virtual machine, clean 24.04 install, updated,
then proposed enabled.
Test Environment 2: x86 laptop with nvidia graphics, upgraded to 24.04,
updated, then proposed enabled.
Test plan fully executed on both environments.
Notes:
kde, budgie, and kapps: only tested in envi
List of Applications tested for regression
Tellico
Supercollider
steam
rssguard
qutebrowser
qmapshack
plasma-welcome
plasma-desktop
pageedit
opam
notepadqq
marble
loupe
kontact
konqueror
kmail
kgeotag
kdeplasma-addons
kchmviewer
kalgebra
goldendict-webengine
ghostwriter
foliate
geary
firefox snap
A profile for bwrap is in the 4.0.1 SRU
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
A profile for bwrap is in the 4.0.1 SRU
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
A profile for bwrap is in the 4.0.1 SRU
** Changed in: bubblewrap (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespa
On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of
June 27, 24.04.
0. Enabled proposed, updated, upgrade and installed apparmor packages
via
$ sudo apt install apparmor apparmor-profiles apparmor-utils
libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor
python3-libap
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
I will add that while you can manually add the profile as a work around,
the full update that is being SRUed is available in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru
any testing that
Can you please try with the apparmor in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru
Basically from a terminal you need to do
sudo add-apt-repository ppa:apparmor-dev/apparmor-sru
sudo apt update
and then retry Web Apps
4.0.1 is in the SRU process, currently waiting to
> Am I correct in understanding, the Thunderbird snap does not allow
profiles to set paths to locations outside the snap confinement? And if
so, is that something specific to running a live system or is it
something any Lubuntu 24.04 installation is now stymied by?
it is a property of the snap, re
Sigh, that should be Unfortunately snap doesn't currently have ...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running" but not responsive
> I'm sorry, would you mind elaborating? profiles.ini allows
configuration of where each profile stores emails, so what are the
consequences of my doing that? I used it, and the same PATH variable,
prior to 24.04 without problem.
that will direct thunderbird to access your emails stored at the loc
It shouldn't but we do need to make sure it works.
Previously flatpak was getting around the bwrap restriction by using the
flatpak unconfined profile. But the unconfined profile uses pix which
means it will now use the bwrap profile, when calling bwrap.
If this does cause breakage we will need t
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056496
Title:
[FFe] AppArmor 4.0-beta2 + prompting support for noble
To
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056517
Title:
VS Code profile still broken.
To manage notifications about th
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060767
Title:
Foliate does not run in Ubuntu 24.04 due to apparmor issue
To
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
To manage no
the
Path=/media/lubuntu/drive/hq/email/thunderbird/certainprofilegoeshere
explains it
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running"
This requires a v4.0 apparmor parser and Ubuntu not upstream kernel.
The ubuntu kernel carries a patch that is work toward splitting
unconfined and making so it can replaced and only cause mediation
overhead for the classes being mediated.
The 4.0 parser is setting mediated classes in unconfined
@smoelius:
If you are interested in learning more of the processes, you can read
about it at https://wiki.ubuntu.com/StableReleaseUpdates
To summarize the upload is at step 4 of the procedures. It has been
uploaded but has not been promoted to the -proposed pocket. Once it has
been accepted it wi
Uhmmm sorry Oracular not Oneiric, seems I am a full 13 years out of sync
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065708
Title:
Add Picture button in Background does not allow you to select
I can report the bwrap-userns-restrict profile in Oneric makes this work
for me. This fix migrated out of proposed this week, so it has only been
available for a few days.
We will work on getting it SRUed to noble.
--
You received this bug notification because you are a member of Ubuntu
Bugs, wh
@samlan00:
you should be able to revert your fix on Oneiric.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065708
Title:
Add Picture button in Background does not allow you to select
wallpaper
Agreed that, we don't want to remove sandboxing on the thumbnailer. We
are looking at what we can do for a fix.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065708
Title:
Add Picture button in Bac
@mhalano:
can you check your logs for apparmor denial messages?
sudo dmesg | grep DENIED
or
journalctl -g apparmor
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user name
I opened a Ubuntu Noble specific task. We can close it after verifying
the current apparmor in noble fixes the issue.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
--
You recei
Yes for the appimages that are affected they should be reported
upstream. There are some things that upstream can do to make appimages
work under the restriction, ideally they would do it dynamically based
on whether the user namespace is available than just based on distro
which is the quick fix s
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Maxime BĂ©lair (mbelair)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065685
Title:
aa-logprof fails with 'runbindable' error
To man
1 - 100 of 8121 matches
Mail list logo
