The fix still has to be cherry-picked to Ubuntu 24.04 https://github.com/moby/moby/issues/48257#issuecomment-2293176303
** Bug watch added: github.com/moby/moby/issues #48257 https://github.com/moby/moby/issues/48257 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2077158 Title: /etc/apparmor.d/usr.bin.pasta is missing in Ubuntu's package Status in apparmor package in Ubuntu: Invalid Status in passt package in Ubuntu: New Bug description: Ubuntu's apparmor package contains `/etc/apparmor.d/usr.bin.passt`, but accidentally lacks `/etc/apparmor.d/usr.bin.pasta` which is needed for `/usr/bin/pasta` (included in `passt` package). Ubuntu has to cherry-pick <https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b>. ref: Comment from Stefano Brivio (sbrivio-rh) <https://github.com/moby/moby/issues/48257#issuecomment-2293176303> > ### About the AppArmor issue > > I finally had the chance to check this on Ubuntu 23.10, 24.04, a current snapshot of the upcoming 24.10, a current openSUSE Tumbleweed version, and a current Debian unstable (sid) installation. > > The issue occurs on Ubuntu 23.10 (`passt-0.0~git20230627.289301b-1`) and 24.04 (`passt-0.0~git20240220.1e6f92b-1`) only (not on 24.10, not on openSUSE, not on Debian) because, together with the change outlined in [Ubuntu's SE045 specification](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626) and AppArmor's [wiki](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction), a Debian package [commit](https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b) is also missing from those versions. > > That commit actually includes the AppArmor profile for `pasta(1)` in the package. The AppArmor ABI of the profile is `3.0`, so it doesn't contain an explicit `allow userns create`, but the mere fact that there's a profile with ABI 3.0 allows pasta to create its sandboxing user namespace. > > Quoting from Ubuntu's SE045 specification, one step for that change should have been: > > > identify all packages within the Ubuntu archive that make use of unprivileged user namespaces > > but this was somehow missed, I guess (I'm the maintainer of the Debian package, but I didn't get any notification). > > Now, while Ubuntu 24.10 and openSUSE Tumbleweed ship AppArmor packages with support for the `4.0` ABI, Debian unstable still ships 3.1.17, so, to keep things simple and still ship a single AppArmor profile (developed upstream), I won't update the profile to ABI 4.0 yet. Updating the profile wouldn't solve the issue anyway. > > So, how do we solve this? We would need to backport that Debian commit to Ubuntu 24.04 (and possibly 23.10), but I can't seem to register a Launchpad account to even start the [process](https://wiki.ubuntu.com/UbuntuBackports#Procedure) (wrong email address? :smile: ). If somebody could do that, or at least **file an Ubuntu issue**, that would be great. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
