We have another problem which disappears when I revert dc757a645cfa82f6ac252365df20a36a9ff82760 ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()") commit.
Now it is not connected with unconfined profiles at all, it involves Ubuntu Noble (host) + LXD (any version) + Ubuntu 12.04 container. And that container fails to get an IPv4 address using dhcp client with the following error: dhclient3 eth0 RTNETLINK answers: Operation not permitted RTNETLINK answers: Operation not permitted On the host side we can see a following AppArmor denial: Sep 05 12:01:09 kernel: audit: type=1400 audit(1725534069.603:228): apparmor="DENIED" operation="capable" class="cap" namespace="root//lxd-c1_<var-lib-lxd>" profile="/sbin/dhclient" pid=28122 comm="ip" capability=12 capname="net_admin" Precisely the same user space works well with upstream kernels 6.8.12 and 6.11.0-rc7. But fails on 6.8.12-based Ubuntu Noble's kernel. Reverting of dc757a645cfa82f6ac252365df20a36a9ff82760 makes things to work again. Reproducer is as simple as lxc launch ubuntu:12.04 myct and check if myct gets an IPv4 address (it won't). External link: https://discourse.ubuntu.com/t/containers-with- ubuntu-12-04-5-lts-are-not-getting-ipv4s-anymore -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs