@Andrew: Simon is correct. This update deliberately had an unusual roll-
out where it went to updates first so that it could be phased, and we
could roll back if the phasing showed a problem.
The security pocket was not updated specifically to provide a users a
way to easily revert the update.
As
This SRU should land soon. It is up to the release team to decide when
it will be released. There are a couple reason this is baking longer (28
days) than the minimum 7 days. In -proposed is a previous iteration
caused a regression and had to be reverted. The 24.04.1 release happened
recently and t
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
package in /usr/share/apparmor/extra-profiles/bwrap-userns-restrict
it is not enabled by defaul
*** This bug is a duplicate of bug 2064849 ***
https://bugs.launchpad.net/bugs/2064849
Ubuntu can not ship an unconfined bwrap profile, doing so allows a
trivial by-pass of the unprivileged user namespace restrictions.
An alternative profile for bwrap is provided by the apparmor-profiles
pack
@Mingun: in
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1969896 you
reported this is still affecting Ubuntu 24.04.1
Can you provide log entries with the denials you are encountering?
sudo dmesg | grep DENIED
Also you reported
$ LANG=C sudo apparmor_parser -R /etc/apparmor.d/usr.b
*** This bug is a duplicate of bug 1795649 ***
https://bugs.launchpad.net/bugs/1795649
@Mingun: I have replied in
https://bugs.launchpad.net/evince/+bug/1795649
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
This is fixed in 4.0.2 and should be part of the next SRU
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2079019
Title:
Unable to en
Disabling the user namespace restriction is certainly one possible
direction, and would be the easiest for Noble.
The other possible route is using aa-notify, which now has the ability
to produce a prompt for the user. An example gif can be seen at
https://gitlab.com/-/project/4484878/uploads/ea5f
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
Looking into it. This appears to be an issue with the parent missing
when trying to create the child in aafs.
** Changed in: linux (Ubuntu Noble)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: ubuntu-realtime
Status: New => Con
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
peer=unconfined in most cases is not meant to be any. It is just that
the policy could not distinguish between the different unconfined
processes.
Confined processes were still being blocked by the peer=unconfined rule.
--
You received this bug notification because you are a member of Ubuntu
Bug
So I have some questions about the snap run under the wpa_client case.
Is this trace repeatable? This one is odd to me in a couple of ways like
we are getting a timeout without every doing a select/poll/... so either
it is somehow missing from the trace or its being done by interrupt.
The trace s
@richard-purdie-1:
I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.
Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the use
@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.
Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The
@jamesh:
for the profile please give it a short non-path based name, and option
for local additions
abi ,
include
profile gnome-shell-portal-helper /usr/libexec/gnome-shell-portal-helper
flags=(default_allow) {
userns,
# Site-specific additions and overrides. See local
@Robie: define final. Right now this is for testing. Once testing is
done and if everything looks good then we will revise the version. The
plan was to go with an epoc version similar to
4.0.1really4.0.0-beta3-0ubuntu0.1 (suggestions welcome), and didn't want
to use/burn those until we are sure thi
steam (non-snap) works, interface is brought up and can launch a game
known to trigger pressure vessel and bwrap.
steam snap is broken. The interface is brought up, but the games I have
tried can not launch. The failure however does not appear to be related
to the revert.It is not bwrap related bu
I have run through QRT tests as well, same results as @georgia in #28
In addition I have tested a couple flatpaks, steam (snap, and non-snap)
has NOT been tested yet, but I will have that one soon.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
The regression is caused by
d/p/u/enable-bwrap-profile.patch
the bwrap profile is interacting with flatpak, and snapd. The
d/p/u/enable-bwrap-profile.patch will need to be dropped, when the 4.0.1
SRU is redone.
The bwrap, flatpak and snapd will need updates to enable bwrap to be
used by regular
@ross:
atm, correct unshare does Not work as it does not have a profile enabled
by default. However this will be partially fixed via SRU. The SRU for
apparmor 4.0.1 includes an example profile for unshare*, that will allow
unshare to create user namespaces and even have capabilities within the
use
There 3 profiles involved here (probably should be 4), with a call
dependency chain of
flatpak -> bwrap -> bwrap_unpriv
the flatpak profile does not show up in the logs but does end up
launching bwrap. The comm is being set by flatpak, and can not be
considered reliable for which executable is
@kanavin:
Bitbake could indeed do that, it will depend on if it is considered
worthwhile to carry said exception code. As I mentioned above both
capabilities and SELinux are working towards limiting of unprivileged
user namespaces, and the solutions needed to handle there restrictions
will be diff
@kanavin:
Thanks, we don't have an issue with bitbake, the issue comes down to
running code out of a user writable location.
1. The location of bitbake will vary by user. Making any profile we
could ship only functional for a subset of bitbak users. For the others
it would require a privileged ac
@milev-philip:
containers are a difficult case. Unfortunately containers share the same
kernel as the host. An application running in the container (docker
image) can use unprivileged user namespaces to compromise not just the
container but the host as well.
There is the ability to turn the restr
It does seem that way. The problem is the design of unprivileged user
namespaces, it gives unprivileged applications access to a lot of kernel
surface that they usually don't have access to. This has been used to
elevate kernel bugs from root exploitable to being exploitable by
unprivileged users.
*** This bug is a duplicate of bug 2056555 ***
https://bugs.launchpad.net/bugs/2056555
Yes, its best to mark this as a duplicate.
** This bug has been marked a duplicate of bug 2056555
Allow bitbake to create user namespace
--
You received this bug notification because you are a member o
Test Environment 1: kvm virtual machine, clean 24.04 install, updated,
then proposed enabled.
Test Environment 2: x86 laptop with nvidia graphics, upgraded to 24.04,
updated, then proposed enabled.
Test plan fully executed on both environments.
Notes:
kde, budgie, and kapps: only tested in envi
List of Applications tested for regression
Tellico
Supercollider
steam
rssguard
qutebrowser
qmapshack
plasma-welcome
plasma-desktop
pageedit
opam
notepadqq
marble
loupe
kontact
konqueror
kmail
kgeotag
kdeplasma-addons
kchmviewer
kalgebra
goldendict-webengine
ghostwriter
foliate
geary
firefox snap
A profile for bwrap is in the 4.0.1 SRU
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
A profile for bwrap is in the 4.0.1 SRU
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
A profile for bwrap is in the 4.0.1 SRU
** Changed in: bubblewrap (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespa
On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of
June 27, 24.04.
0. Enabled proposed, updated, upgrade and installed apparmor packages
via
$ sudo apt install apparmor apparmor-profiles apparmor-utils
libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor
python3-libap
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
I will add that while you can manually add the profile as a work around,
the full update that is being SRUed is available in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru
any testing that
Can you please try with the apparmor in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru
Basically from a terminal you need to do
sudo add-apt-repository ppa:apparmor-dev/apparmor-sru
sudo apt update
and then retry Web Apps
4.0.1 is in the SRU process, currently waiting to
> Am I correct in understanding, the Thunderbird snap does not allow
profiles to set paths to locations outside the snap confinement? And if
so, is that something specific to running a live system or is it
something any Lubuntu 24.04 installation is now stymied by?
it is a property of the snap, re
Sigh, that should be Unfortunately snap doesn't currently have ...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running" but not responsive
> I'm sorry, would you mind elaborating? profiles.ini allows
configuration of where each profile stores emails, so what are the
consequences of my doing that? I used it, and the same PATH variable,
prior to 24.04 without problem.
that will direct thunderbird to access your emails stored at the loc
It shouldn't but we do need to make sure it works.
Previously flatpak was getting around the bwrap restriction by using the
flatpak unconfined profile. But the unconfined profile uses pix which
means it will now use the bwrap profile, when calling bwrap.
If this does cause breakage we will need t
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056496
Title:
[FFe] AppArmor 4.0-beta2 + prompting support for noble
To
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056517
Title:
VS Code profile still broken.
To manage notifications about th
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060767
Title:
Foliate does not run in Ubuntu 24.04 due to apparmor issue
To
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
To manage no
the
Path=/media/lubuntu/drive/hq/email/thunderbird/certainprofilegoeshere
explains it
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running"
This requires a v4.0 apparmor parser and Ubuntu not upstream kernel.
The ubuntu kernel carries a patch that is work toward splitting
unconfined and making so it can replaced and only cause mediation
overhead for the classes being mediated.
The 4.0 parser is setting mediated classes in unconfined
@smoelius:
If you are interested in learning more of the processes, you can read
about it at https://wiki.ubuntu.com/StableReleaseUpdates
To summarize the upload is at step 4 of the procedures. It has been
uploaded but has not been promoted to the -proposed pocket. Once it has
been accepted it wi
Uhmmm sorry Oracular not Oneiric, seems I am a full 13 years out of sync
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065708
Title:
Add Picture button in Background does not allow you to select
I can report the bwrap-userns-restrict profile in Oneric makes this work
for me. This fix migrated out of proposed this week, so it has only been
available for a few days.
We will work on getting it SRUed to noble.
--
You received this bug notification because you are a member of Ubuntu
Bugs, wh
@samlan00:
you should be able to revert your fix on Oneiric.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065708
Title:
Add Picture button in Background does not allow you to select
wallpaper
Agreed that, we don't want to remove sandboxing on the thumbnailer. We
are looking at what we can do for a fix.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065708
Title:
Add Picture button in Bac
@mhalano:
can you check your logs for apparmor denial messages?
sudo dmesg | grep DENIED
or
journalctl -g apparmor
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user name
I opened a Ubuntu Noble specific task. We can close it after verifying
the current apparmor in noble fixes the issue.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
--
You recei
Yes for the appimages that are affected they should be reported
upstream. There are some things that upstream can do to make appimages
work under the restriction, ideally they would do it dynamically based
on whether the user namespace is available than just based on distro
which is the quick fix s
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Maxime BĂ©lair (mbelair)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065685
Title:
aa-logprof fails with 'runbindable' error
To man
The AppArmor profile covers the packaged version and the standard
privileged install location. You are correct that it does not cover
running firefox from an unprivileged user writable location like $HOME.
For unprivileged user writable locations like $HOME/bin/ the user has to
deliberately make a
@jorge-lavila:
technically possible yes. I want to be careful with what I promise here,
as the user experience is not my area. With that said we are currently
looking at using aa-notify as a bridge to improve the user experience.
We would install it with a filter to only fire a notification for th
@zgraft:
I have added a tor item, a profile will land in an update.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
@jorge-lavila,
Its not a theoretical case, they have been used by multiple exploits
every year (including this one) since landing in the kernel. Ubuntu is
not the only ones looking at restricting them. SELinux has also picked
up the ability but they haven't really rolled it out in policy, there
ar
Your understanding is mostly correct. There are as best I can tell, 2
exceptions with how things are setup atm
1. If the environment is setup to use early policy load, the init script
bailout won't stop that policy from being loaded. But it prevents it
from being live updated via systemctl reload
sadly yes, the init script has a bail out that stops loading policy on
the live cd. We are going to have to investigate this.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ub
s/live cd/live image/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065088
Title:
AppArmor profiles allowing userns not immediately active in 24.04 live
image
To manage notifications about this
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
@1fallen: it looks like there is something more going on here, can you
check your kernel log / dmesg for apparmor DENIED messages.
eg.
```
sudo dmesg | grep DENIED
```
--
You received this bug notifica
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
As for upgrade vs. clean install. The unprivileged userns restriction is
enabled via a sysctl and upgrading will not enable it by default.
--
You received this bug notification because you are a member of
Unfortunately there isn't a way to do this via abstractions or configs.
It would be possible to add a patch to the userspace and SRU it. This
would be the quickest solution while we work on the necessary kernel
changes to make the use of attach_disconnected unnecessary.
--
You received this bug n
Does the profile have the attach_disconnected flag set?
Does the profile have the attach_disconnected flag set while in complain
mode?
It looks to me that we are looking at open file descriptors that exist
out of the current namespace. This will result in a partial unattached
path that will not b
So while I don't think we are where snapd can get rid of the snap-
confine.internal snippets, with it now vendoring a more recent apparmor,
a lot of these can drop away. It doesn't need to detect capabilities
anymore.
It can just specify
deny capability perfmon,
and it will work, for all kerne
@neigin: yes the capability to resolve this exists. So now it is a matter of
getting it functioning in snapd for these cases. This will get resolved I just
can't say when it will land.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@u-dal:
thankyou, though I have to say I am at a loss as to why the snap version
of thunderbird is trying to access
```
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock
```
what kind of configuration have you done? I s
So my supposition on the overlay looks to be incorrect. Would you being
willing to attach your full mount information?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap o
For the thunderbird issue I have created
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation
@u-dal:
can you attach the overlay mount information.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064363
Title:
thunderbird snap on live systems "already running" but not responsive
To manage n
Public bug reported:
Moving this here from
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844
snap policy on an overlay system is preventing thunderbird from running.
This is related to the snapcraft form report
https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
bu
** Attachment added: "dmesg denial output"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773409/+files/comment-106.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2
** Attachment added: "dmesg denial output"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773408/+files/comment-106.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2
@u-dal:
the problem with firefox (it has a snap profile and is allowed access to
user namespaces) is different than with chrome (no profile loaded), but
still might be apparmor related. Can you look in dmesg for apparmor
denials
```
sudo dmesg | grep DENIED
```
--
You received this bug notifi
@u-dal:
are you running in a live cd environment? Something odd is happening on your
system, with some profiles loaded and systemctl reporting
ConditionPathExists=!/rofs/etc/apparmor.d
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@u-dal:
This sounds like the apparmor policy is not being loaded can you please
provide the output of
```
sudo aa-status
```
and
```
sudo systemctl status apparmor
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.la
> To clarify, this is not something that can be solved upstream in
apparmor, and a profile can't be accepted due to the nature of the path
location?
correct, if it is a unprivileged user writable location it can't be
fixed entirely upstream. It is possible for us to ship a profile that is
disabled
running privileged applications out of home is dirty. But it is the
situation we are in with user namespaces and app images as well. Ubuntu
will not ship a profile for a privileged executable in the users home or
a writable location of an unprivileged user. As this can be leveraged to
by-pass the r
Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the
behavior of unprivileged user namespace mediation.
With the unprivileged_userns profile loaded, when a user namespace is
created by an unprivileged unconfined application the task will be
transitioned into the unprivileged_userns pr
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues,
1.19.16 installs fine and runs, but in a degraded sandbox mode. So
adding a profile for it would be beneficial
The appimage version of Belena Etcher unfortunately fails to run. We can not
provide a default profile for the ap
The Wike fix is coming in the next SRU.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To
Its not just that app images don't have a default path, we can handle
that as well. It is that user namespaces have become a privileged
operation, and the user must take some privileged action to allow
applications to use them.
That can be any of
- moving the application into a well known privileg
Unless there are other denials, this is not related to bug #2046844
Try adding the following rule to the torbrowser_firefox profile
allow rw /run/dbus/system_bus_socket,
and then reloading it with either
sudo systemctl reload apparmor
or by using
sudo apparmor_parser -r /path/to/torbrowse
To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent,
I will note that current snap behavior is by design. Not saying that
they couldn't make this easier but the snap side is functioning the way
it was desiged.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bug
unfortunately Joplin is only shipped as an appimage for Linux. Which
means we can not ship a profile for it by default that will allow it to
use capabilities within the unprivileged user namespace that the
electron embedded browser is attempting to use.
This means that the user is required to inte
the kernel team is already rolling kernels with the fix for 2061851 but
it is also building in https://launchpad.net/~apparmor-
dev/+archive/ubuntu/apparmor-devel ppa
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchp
This is likely a dup of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061869
Title:
Snaps unable to connect to network under linux-lowla
More applications will be getting confinement, on an individual level I
don't think it will be everything from debs. In this case its because it
uses unprivileged user namespaces. Which is now being restricted and
treated as a semi-privileged because it gives access to several
privileged kernel int
There are vague plans, yes. The time line of it has not been scoped, but
it would be something akin to what happens on macos when you try to run
a downloaded application for the first time and you have to go into
their security config to allow it.
The application will still be "confined" but it ma
The fix has been merged upstream in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1209
it will be in the next release.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
-
@arraybolt3: Answer to your question. bwrap requires capabilities within
the user namespace. unshare is a little more forgiving in that what it
requires depends on the options passed but most of the options also
require capabilities within the user namespace.
The potential solution I mention is co
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined
profile, as that allows for an arbitrary by-pass of the restriction.
There is a potential solution in the works that will allow for bwrap and
unshare to function as long as the child task does not require
permissions but at th
It is in the SRU queue and the current ETA is April 15 to land in the
proposed pocket (archive proposed not security proposed ppa), there is a
caveat that the recent xz backdoor has caused some "fun" on the archive
side and could potentially cause some delays.
--
You received this bug notificatio
Fixed by MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1196
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060100
Title:
denials from sshd in noble
To manage notifications about this bug
Public bug reported:
2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400
audit(1711512628.920:155): apparmor="DENIED" operation="bind"
class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix"
sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind"
1 - 100 of 8078 matches
Mail list logo