It seems like you've encountered a technical issue with aptd crashing
due to a UnicodeDecodeError. Technical glitches like these can be
frustrating, but it's great that you're reaching out for assistance.
As for your Ubuntu version and package details, it's always helpful to
provide such
Yes for the appimages that are affected they should be reported
upstream. There are some things that upstream can do to make appimages
work under the restriction, ideally they would do it dynamically based
on whether the user namespace is available than just based on distro
which is the quick fix
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Maxime BĂ©lair (mbelair)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065685
Title:
aa-logprof fails with 'runbindable' error
To
The AppArmor profile covers the packaged version and the standard
privileged install location. You are correct that it does not cover
running firefox from an unprivileged user writable location like $HOME.
For unprivileged user writable locations like $HOME/bin/ the user has to
deliberately make
Public bug reported:
The sound fades off after initially playing for about 2s. In Firefox, sometimes
if I pause a Youtube video, switch between applications, and then return to
Firefox, the same things repeats. The sound plays for 2s and then stops. In
Rhythmbox, after it stops, the sound
APNG is already supported in all major browsers (except for Edge/IE,
naturally).
I would vote having Plasma supporting it (not just khtml), since it
would allow, for example, users to set simple animated wallpapers
(i know... system resources... but it's not for the faint of heart,
anyway ;)
--
@jorge-lavila:
technically possible yes. I want to be careful with what I promise here,
as the user experience is not my area. With that said we are currently
looking at using aa-notify as a bridge to improve the user experience.
We would install it with a filter to only fire a notification for
@zgraft:
I have added a tor item, a profile will land in an update.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many
@jorge-lavila,
Its not a theoretical case, they have been used by multiple exploits
every year (including this one) since landing in the kernel. Ubuntu is
not the only ones looking at restricting them. SELinux has also picked
up the ability but they haven't really rolled it out in policy, there
Your understanding is mostly correct. There are as best I can tell, 2
exceptions with how things are setup atm
1. If the environment is setup to use early policy load, the init script
bailout won't stop that policy from being loaded. But it prevents it
from being live updated via systemctl reload
sadly yes, the init script has a bail out that stops loading policy on
the live cd. We are going to have to investigate this.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
s/live cd/live image/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065088
Title:
AppArmor profiles allowing userns not immediately active in 24.04 live
image
To manage notifications about this
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
@1fallen: it looks like there is something more going on here, can you
check your kernel log / dmesg for apparmor DENIED messages.
eg.
```
sudo dmesg | grep DENIED
```
--
You received this bug
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
As for upgrade vs. clean install. The unprivileged userns restriction is
enabled via a sysctl and upgrading will not enable it by default.
--
You received this bug notification because you are a member of
Paride,
I've updated the packages at https://launchpad.net/~john-
cabaj/+archive/ubuntu/asrdfd to include all versions in the changes file
for the new package. Let me know if anything else is amiss.
Thanks,
John
--
You received this bug notification because you are a member of Ubuntu
Bugs
Unfortunately there isn't a way to do this via abstractions or configs.
It would be possible to add a patch to the userspace and SRU it. This
would be the quickest solution while we work on the necessary kernel
changes to make the use of attach_disconnected unnecessary.
--
You received this bug
Does the profile have the attach_disconnected flag set?
Does the profile have the attach_disconnected flag set while in complain
mode?
It looks to me that we are looking at open file descriptors that exist
out of the current namespace. This will result in a partial unattached
path that will not
So while I don't think we are where snapd can get rid of the snap-
confine.internal snippets, with it now vendoring a more recent apparmor,
a lot of these can drop away. It doesn't need to detect capabilities
anymore.
It can just specify
deny capability perfmon,
and it will work, for all
@neigin: yes the capability to resolve this exists. So now it is a matter of
getting it functioning in snapd for these cases. This will get resolved I just
can't say when it will land.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@u-dal:
thankyou, though I have to say I am at a loss as to why the snap version
of thunderbird is trying to access
```
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock
```
what kind of configuration have you done? I
So my supposition on the overlay looks to be incorrect. Would you being
willing to attach your full mount information?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap
For the thunderbird issue I have created
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace
@u-dal:
can you attach the overlay mount information.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running" but not responsive
To manage
Public bug reported:
Moving this here from
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844
snap policy on an overlay system is preventing thunderbird from running.
This is related to the snapcraft form report
https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
** Attachment added: "dmesg denial output"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773409/+files/comment-106.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment added: "dmesg denial output"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773408/+files/comment-106.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@u-dal:
the problem with firefox (it has a snap profile and is allowed access to
user namespaces) is different than with chrome (no profile loaded), but
still might be apparmor related. Can you look in dmesg for apparmor
denials
```
sudo dmesg | grep DENIED
```
--
You received this bug
@u-dal:
are you running in a live cd environment? Something odd is happening on your
system, with some profiles loaded and systemctl reporting
ConditionPathExists=!/rofs/etc/apparmor.d
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi Paride, thanks for having a look. I don't expect Bionic/Focal/Jammy
to need backports for compatibility reasons, mostly because the latest
changes were to enable compatibility with the 6.8 kernel. Only Jammy
will need some form of compatibility with the 6.8 kernel as that will be
the last HWE
Virtualbox in focal and jammy (20.04 and 22.04) has migrated to
6.1.50-dfsg-1~ubuntu1.20.04.1
reminder that virtualbox is a multiverse package, meaning it relies on
community support at this time. Since we ar eon 6.1.x in 22.04 and
20.04, users can expect bugfixes and security fixes from the
@u-dal:
This sounds like the apparmor policy is not being loaded can you please
provide the output of
```
sudo aa-status
```
and
```
sudo systemctl status apparmor
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Ubuntu just needs to update Audacious to version 4.2 to fix this.
See https://audacious-media-player.org/news/53-audacious-4-2-released:
- Prevent the Qt interface from popping up multiple error dialogs
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
> To clarify, this is not something that can be solved upstream in
apparmor, and a profile can't be accepted due to the nature of the path
location?
correct, if it is a unprivileged user writable location it can't be
fixed entirely upstream. It is possible for us to ship a profile that is
Public bug reported:
For a few weeks now my terminal has had an odd hang of up to nearly a second.
Usually on the first character I type in a line. I'd say it happens on at least
one out of 5 times. At first I thought that maybe it was something that bash
was doing in the background, but I
running privileged applications out of home is dirty. But it is the
situation we are in with user namespaces and app images as well. Ubuntu
will not ship a profile for a privileged executable in the users home or
a writable location of an unprivileged user. As this can be leveraged to
by-pass the
Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the
behavior of unprivileged user namespace mediation.
With the unprivileged_userns profile loaded, when a user namespace is
created by an unprivileged unconfined application the task will be
transitioned into the unprivileged_userns
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues,
1.19.16 installs fine and runs, but in a degraded sandbox mode. So
adding a profile for it would be beneficial
The appimage version of Belena Etcher unfortunately fails to run. We can not
provide a default profile for the
The Wike fix is coming in the next SRU.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
I want to add: I faced a similar issue. Though updating to the 550
drivers through apt seemingly fixed the issue, there was actually more
issues at play.
First and foremost, on the Wayland session, running "glxinfo | egrep "OpenGL
vendor|OpenGL renderer" returns:
"OpenGL vendor string: Mesa
I found a fix for this that at least works for me.
;;; note: source file /usr/share/guile/3.0/ice-9/eval.scm
;;; newer than compiled /usr/lib/x86_64-linux-gnu/guile/3.0/ccache/ice-9/eval.go
stat /usr/share/guile/3.0/ice-9/eval.scm
and
stat /usr/lib/x86_64-linux-gnu/guile/3.0/ccache/ice-9/eval.go
FWIW I also just tried 24.04 as well as the latest BIOS update (1.37).
The issue appears to be significantly worse. I was initially unable to
boot into a desktop environment at all.
Changing the BIOS setting for Display to Discrete (from Hybrid) meant
that everything worked but monitor detection
Its not just that app images don't have a default path, we can handle
that as well. It is that user namespaces have become a privileged
operation, and the user must take some privileged action to allow
applications to use them.
That can be any of
- moving the application into a well known
I experience this same issue on a fresh Noble installation. FWIW, this
is only with the Debian repository version - the Snap version of Remmina
is able to connect.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Unless there are other denials, this is not related to bug #2046844
Try adding the following rule to the torbrowser_firefox profile
allow rw /run/dbus/system_bus_socket,
and then reloading it with either
sudo systemctl reload apparmor
or by using
sudo apparmor_parser -r
Debdiffs provided. Packages also uploaded to
https://launchpad.net/~john-cabaj/+archive/ubuntu/asrdfd.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063362
Title:
Backport for 22.04, 20.04
** Changed in: involflt (Ubuntu Bionic)
Status: New => In Progress
** Changed in: involflt (Ubuntu Bionic)
Assignee: (unassigned) => John Cabaj (john-cabaj)
** Changed in: involflt (Ubuntu Focal)
Assignee: (unassigned) => John Cabaj (john-cabaj)
** Changed in: involfl
** Patch added: "Bionic 18.04 debdiff"
https://bugs.launchpad.net/ubuntu/+source/involflt/+bug/2063362/+attachment/5770457/+files/1-0.1.0-0ubuntu6~18.04.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "Focal 20.04 debdiff"
https://bugs.launchpad.net/ubuntu/+source/involflt/+bug/2063362/+attachment/5770456/+files/1-0.1.0-0ubuntu6~20.04.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "Jammy 22.04 debdiff"
https://bugs.launchpad.net/ubuntu/+source/involflt/+bug/2063362/+attachment/5770455/+files/1-0.1.0-0ubuntu6~22.04.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
- Request to backport Azure Site Recovery Disk Filter Driver to Jammy
- (22.04) and Focal (20.04)
+ [Impact]
+
+ * Request to backport Azure Site Recovery Disk Filter Driver to Jammy
+ (22.04), Focal (20.04), and Bionic (18.04)
+
+ [Fix]
+
+ * Simple re-package, with
To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent,
Public bug reported:
Request to backport Azure Site Recovery Disk Filter Driver to Jammy
(22.04) and Focal (20.04)
** Affects: involflt (Ubuntu)
Importance: Undecided
Status: New
** Affects: involflt (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects:
Thank you for your quick and helpful reply. A few quick checks make it
appear that reinstalling libssl as you suggested has completely resolved
the problem.
Thanks also for your suggestion about checking failing hardware. There
seems to be no sign of any errors in my drive, but I'll continue to
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063271
Title:
Illegal opcode in libssl
To manage notifications about this bug go to:
Public bug reported:
Description: Ubuntu 24.04 LTS
Release: 24.04
There is no "entire disk with lvm and encryption" option available.
When the "Erase disk" option is selected the entire disk is selected for
installation and the user is given the option to "Encrypt system" but there is
no
*should be changed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061918
Title:
package thunderbird 2:1snap1-0ubuntu1 failed to install/upgrade: new
thunderbird package pre-installation script
I think release upgrader settings changed. To do deb2snap transitions
first before upgrade happens.
Because during upgrade, packages are inconsistent, and snap hooks must
be deffered until they are safe to execute on the system.
Note all other deb2snap transitions were always graceful and would
FWIW, looks like a Debian patch must already exist for this:
https://security-tracker.debian.org/tracker/CVE-2024-32462
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-32462
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
I will note that current snap behavior is by design. Not saying that
they couldn't make this easier but the snap side is functioning the way
it was desiged.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Thank you for checking Aditya. I'll leave this open till you get some
guidance from VMware regarding any changes in Cloud Director that may be
affecting serial console connections.
I've also added this to our 24.04 release notes (to be published soon
for the clouds). Thank you a bunch for trying
1. what versions of VMware ESXi is this applicable?
2. is this reproducible in other environments, such as Virtualbox?
3. is this error true of all ubuntu images for those versions then? This was
added in https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1895104
at the request of
** Changed in: cloud-images
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1895104
Title:
It hangs during booting after deploy cloud image(.ova) and upgrade
** Changed in: zfs-linux (Ubuntu Noble)
Status: Confirmed => In Progress
** Changed in: zfs-linux (Ubuntu Noble)
Assignee: (unassigned) => John Cabaj (john-cabaj)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
unfortunately Joplin is only shipped as an appimage for Linux. Which
means we can not ship a profile for it by default that will allow it to
use capabilities within the unprivileged user namespace that the
electron embedded browser is attempting to use.
This means that the user is required to
I've tested an initial version with the upstream patch and attached the
debdiff here. Will work to get this uploaded.
** Patch added: "zfs-linux_2.2.2-0ubuntu9.debdiff"
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/2058179/+attachment/5767995/+files/zfs-linux_2.2.2-0ubuntu9.debdiff
apport information
** Attachment added: "ProcEnviron.txt"
https://bugs.launchpad.net/bugs/2061698/+attachment/5766302/+files/ProcEnviron.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061698
apport information
** Attachment added: "ProcCpuinfoMinimal.txt"
https://bugs.launchpad.net/bugs/2061698/+attachment/5766301/+files/ProcCpuinfoMinimal.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
apport information
** Tags added: apport-collected jammy third-party-packages
** Description changed:
```
GNU Image Manipulation Program version 2.10.36
git-describe: GIMP_2_10_36
Build: unknown rev 0 for linux
# C compiler #
Using built-in specs.
the kernel team is already rolling kernels with the fix for 2061851 but
it is also building in https://launchpad.net/~apparmor-
dev/+archive/ubuntu/apparmor-devel ppa
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This is likely a dup of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061869
Title:
Snaps unable to connect to network under
Public bug reported:
```
GNU Image Manipulation Program version 2.10.36
git-describe: GIMP_2_10_36
Build: unknown rev 0 for linux
# C compiler #
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
@DisatesR : if you're not seeing a 50-cloud-init.conf file, it indicates
to me that cloud-init is failing to parse the cloud_init configuration
properly, and thus not adding the required configuration to
/etc/ssh/sshd_config.d/
could you provide your entire cloud config? you can also use
Public bug reported:
Cannot obtain lock:E: Could not get lock
/var/lib/dpkg/lock-frontend. It is held by process 17406 (unattended-upgr)
W: Be aware that removing the lock file is not a solution and may break your
system.
E: Unable to acquire the dpkg frontend lock
Thanks for the suggestion.
I have passed your suggestions along to the Guest Customization team
along with links to this bug report in an internal bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
More applications will be getting confinement, on an individual level I
don't think it will be everything from debs. In this case its because it
uses unprivileged user namespaces. Which is now being restricted and
treated as a semi-privileged because it gives access to several
privileged kernel
There are vague plans, yes. The time line of it has not been scoped, but
it would be something akin to what happens on macos when you try to run
a downloaded application for the first time and you have to go into
their security config to allow it.
The application will still be "confined" but it
Alternative idea, what about instead of writing a wrapper:
1. look at https://packages.ubuntu.com/noble/libnet-ssleay-perl
a. libnet-ssleay-perl is in main
2. add eddsa-25519 to the list of constants upstream
a. if i'm reading correctly, there's a mapping in a
helper_scripts/constants.txt
The fix has been merged upstream in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1209
it will be in the next release.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
-
in with the
external keyboard after waking up after a suspend).
I reconnect the external keyboard and I can then resume working.
It appears that suspending the laptop somehow is disabling the laptop's
keyboard.
Note that the functionality of the laptop's mouse is unaffected.
I hope this helps,
John
time,
John
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ubuntu-release-upgrader-core 1:22.04.19
ProcVersionSignature: Ubuntu 5.15.0-102.112-generic 5.15.148
Uname: Linux 5.15.0-102-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CrashDB
@arraybolt3: Answer to your question. bwrap requires capabilities within
the user namespace. unshare is a little more forgiving in that what it
requires depends on the options passed but most of the options also
require capabilities within the user namespace.
The potential solution I mention is
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined
profile, as that allows for an arbitrary by-pass of the restriction.
There is a potential solution in the works that will allow for bwrap and
unshare to function as long as the child task does not require
permissions but at
It is in the SRU queue and the current ETA is April 15 to land in the
proposed pocket (archive proposed not security proposed ppa), there is a
caveat that the recent xz backdoor has caused some "fun" on the archive
side and could potentially cause some delays.
--
You received this bug
Fixed by MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1196
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060100
Title:
denials from sshd in noble
To manage notifications about this
Public bug reported:
2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400
audit(1711512628.920:155): apparmor="DENIED" operation="bind"
class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix"
sock_type="stream" protocol=0 requested_mask="bind"
We have an update of the firefox profile coming that supports the
/opt/firefox/firefox location used as the default install for the
firefox downloaded directly from mozilla.org
If you are running firefox out of your home directory, that will not be
directly supported and you will need to chose to
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
I will add here as well that we have an update of the firefox profile
coming that supports the /opt/firefox/firefox location used as the
default install for the firefox downloaded directly from mozilla.org
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
Hi cipricus,
can you specify how and where your firefox was installed? We are trying
to support multiple variations including downloading directly from
mozilla if it is installed to the standard location?
Tested working on the image from http://cloud-
images.ubuntu.com/releases/jammy/release-20240319/
$ ssh -o "UserKnownHostsFile=/dev/null -o CheckHostIP=no StrictHostKeyChecking
no" jchittum@0.0.0.0 -p
The authenticity of host '[0.0.0.0]: ([0.0.0.0]:)' can't be established.
ED25519
moved on to 22.04 and bug does not exist
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1873606
Title:
20.04 repo doesn't work
To manage notifications about this bug go to:
@DisasteR -- could you be more specific? Which images are you seeing
this in? which cloud, which download from `cloud-images.ubuntu.com`?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2049860
Title:
@coeur-noir:
Are you installing firefox to /opt/ as recommended or using it local in
your user account?
as for bwarp, maybe it is known to be problematic. It is allowed to run and to
create a user namespace but it is denied all capabilities within the namespace.
Can you run
sudo dmesg |
** Changed in: linux (Ubuntu Focal)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2045384
Title:
AppArmor patch for mq-posix interface is missing in jammy
To manage
1. Yes. The backport was for 5.15 jammy kernels including HWE
derivatives. The user space SRU was done in bug
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146
which included Focal. The intent being Focal will only support mqueue if
it is using and HWE kernel.
2. Yes that makes
Public bug reported:
kernel bug
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384
introduced an apparmor change to the 5.15. This rolled down to the Focal
HWE 5.15 kernel, causing failures to properly snap seed
The original functionality was added into ubuntu/master and ubuntu/jammy
The statement in the bug was correct -- we had not anticipated or
thought an apparmor change would get backported to an LTS branch that
would necessitate the backport of the functionality in
`snap_validate_seed`. but now we have a break, where the HWE of focal
(5.15) and LTS of jammy (5.15) got
Question -- this has landed in various jammy-5.15 kernels. This rolled
downstream to the focal HWE kernels (specifically the cloud kernels)
1. was this intentional?
2. if so, could we add an affects for focal as well? it'll help us with
tracking downstream dependency changes, specifically in
** Tags added: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052789
Title:
AppArmor profiles missing in kernel 5.15.0-1051+ release
To manage notifications about this bug go
** Tags added: verification-done-jammy
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052789
Title:
AppArmor profiles missing in kernel 5.15.0-1051+ release
To manage notifications about this bug
Verified Jammy:
Steps:
1. using bartender, built an image using the livecd-rootfs 2.765.41 code
pulled from https://launchpad.net/ubuntu/+source/livecd-rootfs/2.765.41
bartender \
--hook-extras-branch jammy \
--livecd-rootfs-dir
1 - 100 of 55831 matches
Mail list logo
