peer=unconfined in most cases is not meant to be any. It is just that the policy could not distinguish between the different unconfined processes.
Confined processes were still being blocked by the peer=unconfined rule. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2077413 Title: apparmor unconfined profile blocks signal sending Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: Dear friends, if I'm not missing anything it looks like we have one more bug with unconfined AppArmor profiles. Reproducer description. ==================== 1. Create 4 files with the following content: # cat apparmor_signal_test_wrap.sh #!/bin/sh cat /proc/self/attr/apparmor/current ./apparmor_signal_test.sh kill -9 $(cat test.pid) # cat apparmor_signal_test.sh #!/bin/sh cat /proc/self/attr/apparmor/current sleep 1000 & echo $! > test.pid # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap #include <tunables/global> "/home/ubuntu/apparmor_signal_test_wrap.sh" flags=(unconfined) { #include <abstractions/base> capability, dbus, file, network, } # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test #include <tunables/global> "/home/ubuntu/apparmor_signal_test.sh" { #include <abstractions/base> capability, dbus, file, network, } 2. Load AppArmor profiles: apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap 3. run program # ./apparmor_signal_test_wrap.sh /home/ubuntu/apparmor_signal_test_wrap.sh (unconfined) /home/ubuntu/apparmor_signal_test.sh (enforce) ./apparmor_signal_test_wrap.sh: 7: kill: Permission denied 4. check dmesg: [ 4043.092218] audit: type=1400 audit(1724153768.037:191): apparmor="DENIED" operation="signal" class="signal" profile="/home/ubuntu/apparmor_signal_test.sh" pid=10561 comm="apparmor_signal" requested_mask="receive" denied_mask="receive" signal=kill peer="/home/ubuntu/apparmor_signal_test_wrap.sh" Expected behavior: ./apparmor_signal_test_wrap.sh should exit without any errors. ==================== This bug affects LXD when we enable a new unconfined mode (in lxd-support snapd interface). Originally, this problem was reported as a comment in another LP bug for AppArmor: https://bugs.launchpad.net/apparmor/+bug/2067900/comments/2 but it looks like problem is deeper in this case. We had to revert: https://github.com/canonical/lxd-pkg-snap/pull/489 because of this and a few other issues. System info: # cat /etc/os-release PRETTY_NAME="Ubuntu 24.04 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04 LTS (Noble Numbat)" # uname -a Linux ubuntu 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux # apt info apparmor Package: apparmor Version: 4.0.1really4.0.0-beta3-0ubuntu0.1 # apparmor_parser -V AppArmor parser version 4.0.0~beta3 Copyright (C) 1999-2008 Novell Inc. Copyright 2009-2018 Canonical Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2077413/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
