Your understanding is mostly correct. There are as best I can tell, 2 exceptions with how things are setup atm
1. If the environment is setup to use early policy load, the init script bailout won't stop that policy from being loaded. But it prevents it from being live updated via systemctl reload apparmor 2. Policy managed external to the apparmor init script is not affected. This basically means policy loaded/managed by - virt-manager - lxd - snapd - policy loaded manually by directly calling apparmor_parser I still need to dig into this more so we can get this fixed. With 24.04 enabling the user namespace restriction by default not having policy loaded can break things so we need to look at the short term immediate fix for 24.04, and then making sure this is fixed proper for 24.10. The 24.04 fix could be any of 3 different paths 1. just don't enable the user namespace restriction, to avoid the breakage it will cause without policy 2. just load the subset of policy allowing user namespaces. This would address the user namespace restriction breakage while trying to reduce surprises caused by confinement being enabled post release. 3. load all policy. With the fix coming post release, I doubt we will go for solution 3, but I at least want to run an initial evaluation of doing it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065088 Title: AppArmor profiles allowing userns not immediately active in 24.04 live image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
