[Touch-packages] [Bug 2106177] Re: aa-notify's default configuration breaks the userns restriction by suggesting capabilities addition to unprivileged_userns

Mon, 07 Apr 2025 11:41:00 -0700 

This bug was fixed in the package apparmor - 4.1.0~beta5-0ubuntu13

---------------
apparmor (4.1.0~beta5-0ubuntu13) plucky; urgency=medium

  * Rename and edit patch to fix lsblk denials on networked file systems
    (LP: #2092232):
    - d/p/u/lsblk_hyper_v_fixup.patch ->
      d/p/u/lsblk_network_disk_fixup.patch
  * Add patch to fix kernel feature search with substrings (LP: #2105986):
    - d/p/u/libapparmor-feature-match-prefixes.patch
    - d/p/u/libapparmor-bump-patch-version-for-features-prefix.patch
  * Add patch to align aa-notify userns_special_profiles default to config
    default (LP: #2106174):
    - d/p/u/utils-add-unprivileged_userns-to-aa-notify-list.patch
  * Add patches for aa-notify default config to avoid suggesting
    capabilities addition for unprivileged_userns profile (LP: #2106177):
    - d/p/u/aa-notify-dont-merge-configs-with-confdir.patch
    - d/p/u/aa-notify-userns-filtering.patch

 -- Ryan Lee <ryan....@canonical.com>  Wed, 02 Apr 2025 11:01:53 -0700

** Changed in: apparmor (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2106177

Title:
  aa-notify's default configuration breaks the userns restriction by
  suggesting capabilities addition to unprivileged_userns

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  The default configuration of aa-notify does not have any filtering on
  the notifications that it pops up, resulting in notifications that
  suggest adding capabilities to unprivileged_userns, circumventing and
  breaking the AppArmor userns restrictions. Since Plucky is very close
  to release, we will unfortunately have to go for a less invasive
  bugfix patch by adding filtering to the default config that filters
  out such notifications. However, this has lingering issues in that
  user configs that override the system config may result in such
  notifications appearing again. In the longer run, we will want to
  update aa-notify to fix this instead of depending on certain config
  values to be set.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2106177/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to