Thanks for the report, I just tried to reproduce this on both updated
impish and updated jammy and couldn't reproduce. I notice on impish
specifically that my focal container does not get the
/var/lib/snapd/apparmor/snap-confine/cap-bpf file which is expected
because the apparmor_parser for focal does not know about the bpf
capability. What's confusing is how/why your container saw this, because
again snapd actually tries to compile a program with apparmor_parser
with "capability bpf," in it and only if that succeeds will it generate
that snippet to include in snap-confine's policy.
So for this to have happened to you, the apparmor_parser that snapd sees
inside the focal container must have been able to successfully compile
with that snippet.
You mentioned on IRC that this was a privileged container, is there
anyway that in addition to being a privileged container somehow it had a
newer apparmor_parser in the container too?
** Changed in: snapd (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964636
Title:
Incorrect handling of apparmor `bpf` capability
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1964636/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
