[Touch-packages] [Bug 2110616] Re: apparmor unprivileged_userns profile missing access to /

Tue, 02 Sep 2025 21:37:03 -0700 

$ apt policy apparmor
apparmor:
  Installed: 4.1.0~beta5-0ubuntu14.1
  Candidate: 4.1.0~beta5-0ubuntu14.1
  Version table:
 *** 4.1.0~beta5-0ubuntu14.1 100
        100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.1.0~beta5-0ubuntu14 500
        500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ sysctl kernel.apparmor_restrict_unprivileged_unconfined
kernel.apparmor_restrict_unprivileged_unconfined = 1

`sudo aa-status` includes unprivileged_userns as a loaded profile

$ unshare -U ls /
bin   cdrom  etc   lib    lost+found  mnt  proc  run   snap  swap.img  tmp  var
boot  dev    home  lib64  media       opt  root  sbin  srv   sys       usr

Test plan verification considered successful

** Tags removed: verification-needed verification-needed-plucky
** Tags added: verification-done verification-done-plucky

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2110616

Title:
  apparmor unprivileged_userns profile missing access to /

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Plucky:
  Fix Committed
Status in apparmor source package in Questing:
  Fix Released

Bug description:
  [ Impact ]

  The unprivileged_userns profile did not grant access to the root
  directory, which was an oversight in a profile that is intended to
  allow almost all accesses except for capabilities usage. This would
  e.g. break listing of the root directory contents from a user
  namespace.

  [ Test Plan ]

  After installation of the new AppArmor version:
   * Ensure that the sysctl kernel.apparmor_restrict_unprivileged_unconfined is 
set to 1
   * Run `sudo aa-status` and verify that an unprivileged_userns profile is 
loaded
   * Run unshare -U ls / and verify that it lists the directory successfully 
without creating an AppArmor denial log

  [ Where problems could occur ]

  Changing the rule to allow access to the root directory is loosening
  confinement on the profile. However, if a user manually modified the
  installed profiles, then the package upgrade would cause conflicts,
  and rejection of the incoming changes (either by hand during an
  interactive upgrade or automatically during an batch unattended
  upgrade) would result in end users not getting this fix.

  [ Other Info ]

  This bug was originally reported at
  https://gitlab.com/apparmor/apparmor/-/issues/505.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110616/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to