Hi Dererk, I'm fully quoting below Seth Arnold's reply (that was send to pkg-apparmor-team@ only) and will reply below.
Seth Arnold: > On Wed, Jul 18, 2018 at 08:05:29PM -0300, Dererk wrote: >> I was reported about a bug on the way an apparmor profile behaves. >> It appears to me that this issue might be tightly related to the way >> apparmor is compiled on Ubuntu, since all my attempts to find similar >> reports get isolated to Ubuntu's reports and bug fixes. >> >> Would you be kind in advice on how to proceed with this? Is this possible to >> be hit on Debian installations? If its not, Is it safe to apply it on Debian >> without backfiring? > Hello Dererk, > This is not unique to systemd, nor Ubuntu; any time a process may use a > file descriptor that refers to a file that does not exist in the process's > mount namespace, whether via explicit namespace use, or chroot, or being > passed descriptors across an exec or Unix domain socket. > Systemd just makes these cases really easy to recreate. > The flags=(attach_disconnected) fix is safe to apply; we don't use it > as a default setting because we'd really like to have a better solution > in the long run. But if you're currently not logging due to this issue, or > the program fails to run at all because it cannot log, then waiting for a > better solution is far from ideal. Fully agreed: at least for now, if flags=(attach_disconnected) fixes user-visible issues, it'll be good enough ⇒ feel free to add it :) Cheers, -- intrigeri