An updated aa-notify that can prompt the user to create a profile is available in oracular, and for noble via https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports. The plan is to get more testing on it and then SRU to noble.
it can be install via sudo apt install apparmor-notify basic instructions are available via man aa-notify it will install a default configuration in "/etc/apparmor/notify.conf". The default configuration can be modified on a per user basis by copying it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally "$HOME/.config/apparmor/notify.conf" or to "$HOME/.apparmor/notify.conf". A custom configuration is not needed unless you want to use filtering to make it less noisy. Currently regular notifications will happen for all apparmor events, but they can be filtered using the config file. the notifier can be started via the shell with aa-notify -p -s1 --prompt-filter=userns or by adding it to startup applications There is a bug with the user namespace notification where it currently requires "--prompt-filter=userns" as part of the command arguments instead of being set in the config file. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP Status in apparmor package in Ubuntu: New Bug description: Build sandboxing in AOSP is broken after updating to 24.04 with the following denials: [ 182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create" target="unprivileged_userns" [ 182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=8515 comm="nsjail" capability=6 capname="setgid" [ 182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw, rprivate" This seems to come from the following change earlier this year: https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
