This looks to be caused by incus using change_profile to change confinement. AppArmor is allowing this but only to a point creating a stack of the incus policy and unconfined. We will need to investigate the specifics of exactly what is going on here. But in the mean time you should be able to work around this by disabling the apparmor_unconfined_restriction. Using
sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 you can read more about it at https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2109394 Title: AppArmor breaks Incus containers Status in apparmor package in Ubuntu: Confirmed Bug description: With Ubuntu 25.04, launching an Incus container and issuing "apt update" inside it just...stalls. It never proceeds. There's a lot of complaints about ptract and signal being denied by AppArmor and, indeed, adding 'raw.apparmor="signal,"' to the container's configuration allows "apt update" to work normally again. Tested both with a fresh install of 25.04 and with an upgrade from 24.04 to 24.10 and then to 25.04, the result is the same. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2109394/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
