So what I think is going on from a first pass look at this is that We are seeing a change in kernel behavior around exec. The 6.8 has a known change here, that doesn't normally trigger because unconfined is delegating access into the profile. However in the lxd case, unconfined can is not delegating access it the profile needs access to the application.
the accompanying patch should fix the issue, and does not actually grant anymore permission that was already required, it was just being delegated in by unconfined. ** Patch added: "apparmor-add-execmap.patch" https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5758964/+files/apparmor-add-execmap.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs