This is the fix upstream:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1237/diffs?commit_id=1f4bba0448563b7d1fe4d86c230556ebf8d3805b
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2079019
Tit
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** No longer affects: apparmor (Ubuntu)
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Oracular)
Importance: Undecided
Status: New
--
You r
Eugenio, do you see any apparmor messages in your system logs? They could be in
/var/log/syslog or /var/log/kern.log, or if you have auditd installed
/var/log/audit/audit.log
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs
You will need to create an AppArmor profile for the AppImage to work
using unprivileged user namespaces with privileged operations. Here's a
more detailed explanation in a different bug:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056627/comments/4
--
You received this bug notificati
Hi Eugenio. I appreciate your patience, but we haven't been able to
reproduce the issue so we depend on our logs to draw out any conclusion.
Is there any change you are using a different software or extension to
display your thumbnails other than nautilus directly? Something like
gnome-shell-exten
Hi Eugenio. I'm relieved to hear that you are using Desktop Icons NG. That bug
is being tracked in
https://bugs.launchpad.net/ubuntu/+source/gnome-shell-extension-desktop-icons-ng/+bug/2064849
as
kanschat shared in #41
Good news is that there's already a fix on the way
https://salsa.debian.org
This profile bypasses the restriction of unprivileged user namespaces,
therefore Ubuntu cannot ship it, and we recommend you don't use it as
well. If an application calls bwrap with a valid use of unpriv userns,
then a profile for that app should be created instead. Let me know if
you need any help
The bug was caused by a commit [1] in the Ubuntu kernel that would
change the kernel features hash based on the status of the userns and
io_uring restriction. When the policy cache was generated, userns
restriction would be available and the hash under
/etc/apparmor/earlypolicy/ would match the set
** Description changed:
+ SRU Justification:
+
+ [Impact]
+
+ The commit being reverted allows the use of runtime information on
+ AppArmor features, usually located under
+ /sys/kernel/security/apparmor/features/
+
+ The set of features is used to calculate the features' hash, used by
+ AppArm
Since rsyslog ships its own apparmor profile, I'm adding rsyslog as the
affected package and marking apparmor as invalid.
** Also affects: rsyslog (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => Invalid
--
You received this bug notification bec
Hi Dave
There's a new apparmor_4.1.0~beta5-0ubuntu5 available in plucky-proposed that
should remove the wpa_supplicant apparmor profile. We decided to disable it by
default for now in Ubuntu
I added a comment in the upstream MR for the profile fix, feel free to add more
details there if you wish
Hi Heinrich. Did you try rebooting after upgrading to 4.1.0~beta5-0ubuntu5?
The profile could still be loaded in the kernel thus enforcing restrictions
unless rebooting or manually unloading the profile.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subs
Verification completed on noble kernel 6.8.0-56.58:
$ journalctl -b | grep systemd | grep -i apparmor
...
Feb 20 09:50:03 sec3-noble-amd64 kernel: audit: type=1400
audit(1740055803.156:9): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="busybox" pid=1 comm="systemd"
Feb 20
hi Thomas
To allow access to these files, you can add the following rule to
/etc/apparmor.d/local/openvpn:
@{HOME}/Documents/canonical/vpn/canonical_ta.key r,
It can be done by the following command:
sudo bash -c "echo '@{HOME}/Documents/canonical/vpn/canonical_ta.key r,'
>> /etc/apparmor.d/loc
Hi Khairul.
Unfortunately the fix was not complete and there's a 4.1.0~beta5-0ubuntu5 on
the way. What you can do now is unload the profile and remove it.
# apparmor_parser --remove /etc/apparmor.d/wpa_supplicant
# rm /etc/apparmor.d/wpa_supplicant
--
You received this bug notification because
Hi Thomas, thanks for the report
AppArmor resolves the symbolic link on mediation, so to allow mbsync to
access those files, you can add the following permission to
/etc/apparmor.d/local/mbsync
@{HOME}/dotfiles/isync/.mbsyncrc r,
It can be done by the following command:
sudo bash -c "echo '@{HO
Hi Bryce, yes I'm able to help with testing. I was able to reproduce the
issue on a virtualized jammy using my tpm device as passthrough (I had
to manually add apparmor permission to access /dev/tpm* rw, though...
another bug). And I was also able to verify that the version from
Sergio's PPA works
Verification completed on oracular linux/6.11.0-21.21
georgia@sec-oracular-amd64:~$ uname -a
Linux sec-oracular-amd64 6.11.0-21-generic #21-Ubuntu SMP PREEMPT_DYNAMIC Wed
Feb 19 16:50:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-oracular-amd64:~$ journalctl -b | grep systemd | grep -i
Hi Fred,
What is the output of "realpath /usr/bin/google-chrome" in our machine?
Here I have
$ realpath /usr/bin/google-chrome
/opt/google/chrome/google-chrome
which is already covered by the rule
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx
-> sanitized_helper,
App
hi Lukas. Yes, I was reproducing it on my host with real hardware.
Unfortunately I have since upgraded to noble, so I'm unable to test unless I
downgrade the packages (let me know if you'd like me to)
Regarding TPM, I'm not sure what to look for, but here's what I got
$ cat /sys/class/tpm/tpm0/t
Hi Fred, I'm sorry to hear that things are not working as you expect. If
you can, could you open a new bug here on launchpad or in the upstream
apparmor repo https://gitlab.com/apparmor/apparmor/-/issues containing
the details of what's not working for you? It would be very helpful if
you could inc
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchp
I could reproduce this issue on linux 6.12 but plucky is soon moving to
6.14 in which this is no longer reproducible.
** Changed in: apparmor (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Verification completed in oracular linux/6.11.0-21.21. Works as
expected.
georgia@sec-oracular-amd64:~$ uname -a
Linux sec-oracular-amd64 6.11.0-21-generic #21-Ubuntu SMP PREEMPT_DYNAMIC Wed
Feb 19 16:50:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-oracular-amd64:~$ sudo lxc launch ubu
Hi The Owl, my apologies. I updated the description containing the SRU
justification with the thorough testing steps.
Here's the correct verification:
root@sec-oracular-amd64:~# lxc launch ubuntu:24.10 test -c security.nesting=true
Launching test
root@sec-oracular-amd64:~# lxc exec test bash
root
101 - 125 of 125 matches
Mail list logo
