The bug was caused by a commit [1] in the Ubuntu kernel that would change the kernel features hash based on the status of the userns and io_uring restriction. When the policy cache was generated, userns restriction would be available and the hash under /etc/apparmor/earlypolicy/ would match the set of features with userns enabled, but when systemd executed at boot, the permission was disabled, causing the hash mismatch, so no policy would be loaded.
[1] https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/noble/commit/?id=8bd4ee319a029669787588e648bce3c28adf4369 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2095370 Title: AppArmor early policy load not funcitoning Status in apparmor package in Ubuntu: Confirmed Bug description: Profile cache files in /etc/apparmor/earlypolicy/ should be loaded by systemd during early boot to enable full system confinement. Systemd should load the cache and try to enter confinement as documented in https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd However this is not happening on noble. The early policy is not being loaded and systemd does not appear to attempt to enter the systemd profile, which should result in the following error if the systemd profile is not part of the early cache set. Failed to change to AppArmor profile 'systemd'. Please ensure that one of the binary profile files in policy cache directory /etc/apparmor/earlypolicy/XXXXX contains a profile with that name." systemd on boot does report that it has been built with apparmor support [ 2.011794] systemd[1]: systemd 257-2ubuntu1 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2095370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
