[Touch-packages] [Bug 2106177] [NEW] aa-notify's default configuration breaks the userns restriction by suggesting capabilities addition to unprivileged_userns

Thu, 03 Apr 2025 10:50:38 -0700 

Public bug reported:

The default configuration of aa-notify does not have any filtering on
the notifications that it pops up, resulting in notifications that
suggest adding capabilities to unprivileged_userns, circumventing and
breaking the AppArmor userns restrictions. Since Plucky is very close to
release, we will unfortunately have to go for a less invasive bugfix
patch by adding filtering to the default config that filters out such
notifications. However, this has lingering issues in that user configs
that override the system config may result in such notifications
appearing again. In the longer run, we will want to update aa-notify to
fix this instead of depending on certain config values to be set.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2106177

Title:
  aa-notify's default configuration breaks the userns restriction by
  suggesting capabilities addition to unprivileged_userns

Status in apparmor package in Ubuntu:
  New

Bug description:
  The default configuration of aa-notify does not have any filtering on
  the notifications that it pops up, resulting in notifications that
  suggest adding capabilities to unprivileged_userns, circumventing and
  breaking the AppArmor userns restrictions. Since Plucky is very close
  to release, we will unfortunately have to go for a less invasive
  bugfix patch by adding filtering to the default config that filters
  out such notifications. However, this has lingering issues in that
  user configs that override the system config may result in such
  notifications appearing again. In the longer run, we will want to
  update aa-notify to fix this instead of depending on certain config
  values to be set.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2106177/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to