[Touch-packages] [Bug 2098906] Re: apparmor breaks sbuild with unshare on plucky

[Ryan Lee]

This breakage is due to the latest AppArmor packaging enabling a
unshare-userns-restrict profile by default. In most cases, this allows
more usage of unshare than before (while limiting the attack surface
exposed by capabilities in unprivileged user namespaces), but sbuild is
one of the cases where the new profile imposes more restrictions instead
of loosening them. We are working on an updated sbuild profile to fix
this.

** Changed in: apparmor (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2098906

Title:
  apparmor breaks sbuild with unshare on plucky

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  After today's apparmor updates and restarting my computer, I can no
  longer use sbuild's unshare backend. This breaks the (newly)
  recommended way to build .deb packages locally from Ubuntu 25.04. (See
  https://lists.ubuntu.com/archives/ubuntu-
  devel/2024-December/043193.html )

  Journal excerpt
  ======
  Feb 19 17:24:29 kernel: audit: type=1400 audit: apparmor="AUDIT" 
operation="exec" class="file" info="ix fallback" profile="unshare" 
name="/usr/bin/newuidmap" pid=10846 comm="unshare" requested_mask="x" 
fsuid=1000 ouid=0 target="unpriv_unshare//&unshare"
  Feb 19 17:24:29 kernel: audit: type=1400 audit: apparmor="DENIED" 
operation="capable" class="cap" profile="unpriv_unshare" comm="newuidmap" 
capability=1  capname="dac_override"

  ProblemType: Bug
  DistroRelease: Ubuntu 25.04
  Package: apparmor 4.1.0~beta5-0ubuntu2
  ProcVersionSignature: Ubuntu 6.12.0-15.15-generic 6.12.11
  Uname: Linux 6.12.0-15-generic x86_64
  ApportVersion: 2.31.0-0ubuntu5
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Feb 19 17:25:41 2025
  InstallationDate: Installed on 2024-04-12 (313 days ago)
  InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Beta amd64 (20240410.2)
  ProcEnviron:
   LANG=en_US.UTF-8
   PATH=(custom, no user)
   SHELL=/bin/bash
   TERM=xterm-256color
   XDG_RUNTIME_DIR=<set>
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-6.12.0-15-generic 
root=UUID=7a431ed1-30e4-4377-bb6e-1f81480f31ba ro quiet splash 
crashkernel=2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M 
vt.handoff=7
  SourcePackage: apparmor
  UpgradeStatus: Upgraded to plucky on 2024-12-18 (63 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098906/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp