Public bug reported: Ubuntu's apparmor package contains `/etc/apparmor.d/usr.bin.passt`, but accidentally lacks `/etc/apparmor.d/usr.bin.pasta` which is needed for `/usr/bin/pasta` (included in `passt` package).
Ubuntu has to cherry-pick <https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b>. ref: Comment from Stefano Brivio (sbrivio-rh) <https://github.com/moby/moby/issues/48257#issuecomment-2293176303> > ### About the AppArmor issue > > I finally had the chance to check this on Ubuntu 23.10, 24.04, a current > snapshot of the upcoming 24.10, a current openSUSE Tumbleweed version, and a > current Debian unstable (sid) installation. > > The issue occurs on Ubuntu 23.10 (`passt-0.0~git20230627.289301b-1`) and > 24.04 (`passt-0.0~git20240220.1e6f92b-1`) only (not on 24.10, not on > openSUSE, not on Debian) because, together with the change outlined in > [Ubuntu's SE045 > specification](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626) > and AppArmor's > [wiki](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction), > a Debian package > [commit](https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b) > is also missing from those versions. > > That commit actually includes the AppArmor profile for `pasta(1)` in the > package. The AppArmor ABI of the profile is `3.0`, so it doesn't contain an > explicit `allow userns create`, but the mere fact that there's a profile with > ABI 3.0 allows pasta to create its sandboxing user namespace. > > Quoting from Ubuntu's SE045 specification, one step for that change should > have been: > > > identify all packages within the Ubuntu archive that make use of > > unprivileged user namespaces > > but this was somehow missed, I guess (I'm the maintainer of the Debian > package, but I didn't get any notification). > > Now, while Ubuntu 24.10 and openSUSE Tumbleweed ship AppArmor packages with > support for the `4.0` ABI, Debian unstable still ships 3.1.17, so, to keep > things simple and still ship a single AppArmor profile (developed upstream), > I won't update the profile to ABI 4.0 yet. Updating the profile wouldn't > solve the issue anyway. > > So, how do we solve this? We would need to backport that Debian commit to > Ubuntu 24.04 (and possibly 23.10), but I can't seem to register a Launchpad > account to even start the > [process](https://wiki.ubuntu.com/UbuntuBackports#Procedure) (wrong email > address? :smile: ). If somebody could do that, or at least **file an Ubuntu > issue**, that would be great. Thanks. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2077158 Title: /etc/apparmor.d/usr.bin.pasta is missing in Ubuntu's apparmor package Status in apparmor package in Ubuntu: New Bug description: Ubuntu's apparmor package contains `/etc/apparmor.d/usr.bin.passt`, but accidentally lacks `/etc/apparmor.d/usr.bin.pasta` which is needed for `/usr/bin/pasta` (included in `passt` package). Ubuntu has to cherry-pick <https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b>. ref: Comment from Stefano Brivio (sbrivio-rh) <https://github.com/moby/moby/issues/48257#issuecomment-2293176303> > ### About the AppArmor issue > > I finally had the chance to check this on Ubuntu 23.10, 24.04, a current snapshot of the upcoming 24.10, a current openSUSE Tumbleweed version, and a current Debian unstable (sid) installation. > > The issue occurs on Ubuntu 23.10 (`passt-0.0~git20230627.289301b-1`) and 24.04 (`passt-0.0~git20240220.1e6f92b-1`) only (not on 24.10, not on openSUSE, not on Debian) because, together with the change outlined in [Ubuntu's SE045 specification](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626) and AppArmor's [wiki](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction), a Debian package [commit](https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b) is also missing from those versions. > > That commit actually includes the AppArmor profile for `pasta(1)` in the package. The AppArmor ABI of the profile is `3.0`, so it doesn't contain an explicit `allow userns create`, but the mere fact that there's a profile with ABI 3.0 allows pasta to create its sandboxing user namespace. > > Quoting from Ubuntu's SE045 specification, one step for that change should have been: > > > identify all packages within the Ubuntu archive that make use of unprivileged user namespaces > > but this was somehow missed, I guess (I'm the maintainer of the Debian package, but I didn't get any notification). > > Now, while Ubuntu 24.10 and openSUSE Tumbleweed ship AppArmor packages with support for the `4.0` ABI, Debian unstable still ships 3.1.17, so, to keep things simple and still ship a single AppArmor profile (developed upstream), I won't update the profile to ABI 4.0 yet. Updating the profile wouldn't solve the issue anyway. > > So, how do we solve this? We would need to backport that Debian commit to Ubuntu 24.04 (and possibly 23.10), but I can't seem to register a Launchpad account to even start the [process](https://wiki.ubuntu.com/UbuntuBackports#Procedure) (wrong email address? :smile: ). If somebody could do that, or at least **file an Ubuntu issue**, that would be great. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
