I have implemented a patch for this issue, but before submitting it, I
want to understand its origin to determine if other edge cases need to
be addressed.
Do you know which profile created this issue?
Perhaps running sudo grep -r "runbindable*/*" /etc/apparmor.d could help
identify the source of
So, the error was related to passt, not apparmor. This is because it
uses an incorrect rule in abstractions/passt.
By design, rules containing some options, such as runbindable, cannot
include a source.
I just sent the following patch for passt that should solve your issue
https://archives.passt.
@Christian Thank you for pointing this out. After investigation, I found
that this bug stems from the following restriction not being implemented
consistently in aa-* and apparmor_parser.
> $ man 2 mount
>
> If mountflags includes one of MS_SHARED, MS_PRIVATE, MS_SLAVE, or
> MS_UNBINDABLE [..
** Changed in: apparmor (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065685
Title:
aa-logprof fails with 'runbindable' error
To manage notifications a
This bug is fixed by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1345
** Changed in: apparmor
Assignee: (unassigned) => Maxime Bélair (mbelair)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.
Verification completed on noble kernel 6.8.0-56.58:
$ lxc launch ubuntu:24.04 test -c security.nesting=true
Launching test
$ lxc exec test bash
root@test:~# uname -a
Linux test 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28
UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
root@
** Tags removed: verification-needed-noble-linux
** Tags added: verification-done-noble-linux
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor unconfined profile blocks pivot_ro
Public bug reported:
On Ubuntu Plucky, apparmor utils tools such as aa-notify, aa-logprof,
aa-cleanprof cannot parse fusermount3 profile.
$ aa-notify -p
skipping unparseable profile /etc/apparmor.d/fusermount3 (Can't parse
mount rule mount fstype=fuse options=(nosuid,nodev,rw) revokefs-fuse ->
/
dback.
```
#--
#Copyright (C) 2025 Canonical Ltd.
#
#Author: Maxime Bélair
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of version 2 of the GNU General Public
#License published by the Free Software Found
Indeed, a profile for linux-boot-prober is also needed. Find it below.
Again, if you face any issue with these two profiles don't hesitate to
give feedback.
```
#--
# Copyright (C) 2025 Canonical Ltd.
#
# Author: Maxime B
The sanitized_helper profile is designed to be as generic as possible to
make it work with most binaries when a more restrictive profile is
unavailable.
As you pointed out, this approach raises several concerns:
- The security level of this profile is only slightly above unconfined, which
can u
This issue is fixed by 1f33fc9b29c174698fdf0116a4a9f50680ec4fdb, however
it is not included in the 4.0 branch used by noble. Oracular and Plucky
are not affected by this bug.
To fix that locally, you can either:
- Replace `mount "" -> "/tmp/",` by `mount -> "/tmp/",` (and similarly for
other em
Thank you for reporting this bug.
Indeed, we must give access to `/sys/devices/LNXSYSTM:*/LNXSYBUS:*/**`
to lsblk.
This should be fixed upstream by
https://gitlab.com/apparmor/apparmor/-/merge_requests/1584
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Verification completed on oracular kernel linux-intel/6.11.0-1008.8
# lxc launch ubuntu:24.10 test -c security.nesting=true
Launching test
# lxc exec test bash
Linux test 6.11.0-1008-intel #8 SMP PREEMPT_DYNAMIC Wed Mar 19 16:31:19 CET
2025 x86_64 x86_64 x86_64 GNU/Linux
root@test:~# apt update;
Verified that the patch was applied to branch linux-nvidia-
tegra/6.8.0-1004.4
** Tags removed: verification-needed-noble-linux-nvidia-tegra
** Tags added: verification-done-noble-linux-nvidia-tegra
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
Verified that the patch was applied to branch linux-nvidia-
tegra/6.8.0-1004.4
** Tags removed: verification-needed-noble-linux-nvidia-tegra
** Tags added: verification-done-noble-linux-nvidia-tegra
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
16 matches
Mail list logo
