Hello Georgia, no need to apologize, you have done what I wanted to do "as soon
as I have 10 minutes" :).
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor unconfined
Hi The Owl, my apologies. I updated the description containing the SRU
justification with the thorough testing steps.
Here's the correct verification:
root@sec-oracular-amd64:~# lxc launch ubuntu:24.10 test -c security.nesting=true
Launching test
root@sec-oracular-amd64:~# lxc exec test bash
root
Dear Georgia,
can you please test that docker works *within* an LXC container (better if
provisioned via LXD) with the same OS version of the host?
The bug would not show when the 2 would run alongside on the host, but instead
when docker runs within an LXC container.
--
You received this bug n
Verification completed in oracular linux/6.11.0-21.21. Works as
expected.
georgia@sec-oracular-amd64:~$ uname -a
Linux sec-oracular-amd64 6.11.0-21-generic #21-Ubuntu SMP PREEMPT_DYNAMIC Wed
Feb 19 16:50:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-oracular-amd64:~$ sudo lxc launch ubu
This bug is awaiting verification that the linux/6.11.0-21.21 kernel in
-proposed solves the problem. Please test the kernel and update this bug
with the results. If the problem is solved, change the tag
'verification-needed-oracular-linux' to 'verification-done-oracular-
linux'. If the problem sti
** Tags removed: verification-needed-noble-linux
** Tags added: verification-done-noble-linux
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor unconfined profile blocks pivot_ro
Verification completed on noble kernel 6.8.0-56.58:
$ lxc launch ubuntu:24.04 test -c security.nesting=true
Launching test
$ lxc exec test bash
root@test:~# uname -a
Linux test 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28
UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
root@
This bug is awaiting verification that the linux/6.8.0-56.58 kernel in
-proposed solves the problem. Please test the kernel and update this bug
with the results. If the problem is solved, change the tag
'verification-needed-noble-linux' to 'verification-done-noble-linux'. If
the problem still exist
Hi Georgia,
thanks a lot for looking into this issue!
Kind regards,
Alex
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor unconfined profile blocks pivot_root
To manage notif
Hi, mihalicyn, sorry for the delay answering.
That's unfortunately right. Ubuntu 12.04 ships apparmor 2.7 which didn't
have support for ABIs yet, so dc757a645cfa82f6ac252365df20a36a9ff82760
causes a regression on those early versions. I talked to @jjohansen and
we have agreed that this patch needs
We have another problem which disappears when I revert
dc757a645cfa82f6ac252365df20a36a9ff82760 ("UBUNTU: SAUCE: apparmor4.0.0
[81/90]: apparmor: convert easy uses of unconfined() to
label_mediates()") commit.
Now it is not connected with unconfined profiles at all, it involves Ubuntu
Noble (host
Sorry for the delay. The fix had landed but it was reverted due to a
regression. We have a 4.0.1really4.0.1-0ubuntu0.24.04.3 update but
it is still sitting in noble-proposed
https://people.canonical.com/~ubuntu-archive/pending-sru.html
--
You received this bug notification because you are a
AFAIK, fix was landed
https://gitlab.com/apparmor/apparmor/-/commit/4bb134e4bb950a8c9a1f70a27eb2acd2a35df412
But changelog
https://changelogs.ubuntu.com/changelogs/pool/main/a/apparmor/apparmor_4.0.1really4.0.0-beta3-0ubuntu0.1/changelog
says that everything was reverted back to 4.0.0~beta.
--
Y
Hi all, what is the latest on this? It appears to not have been fixed in
Ubuntu 24.04.1
https://github.com/canonical/lxd/issues/13389#issuecomment-2319129052
** Bug watch added: github.com/canonical/lxd/issues #13389
https://github.com/canonical/lxd/issues/13389
--
You received this bug noti
upstream discussion
https://gitlab.com/apparmor/apparmor/-/merge_requests/1247
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor unconfined profile blocks pivot_root
To manage n
This issue is now occuring in lxd latest/edge builds after we merged
initial support for restricted user namespaces.
Is there an eta on a fix?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Ti
It looks like the same issue happens with "kill" syscall:
Jul 01 15:52:45 kernel: audit: type=1400 audit(1719849165.951:291):
apparmor="DENIED" operation="signal" class="signal"
profile="lxd-v1_" pid=15369 comm="lxd"
requested_mask="receive" denied_mask="receive" signal=kill
peer="snap.lxd.daemon"
This requires a v4.0 apparmor parser and Ubuntu not upstream kernel.
The ubuntu kernel carries a patch that is work toward splitting
unconfined and making so it can replaced and only cause mediation
overhead for the classes being mediated.
The 4.0 parser is setting mediated classes in unconfined
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor unconfined profile blocks pivot_root
To manage n
19 matches
Mail list logo
