Does the profile have the attach_disconnected flag set?
Does the profile have the attach_disconnected flag set while in complain
mode?
It looks to me that we are looking at open file descriptors that exist
out of the current namespace. This will result in a partial unattached
path that will not be allowed in complain mode. The denied path will not
start with /.
If the attach_disconnected flag is add, that will attach the
disconnected path to the root of the current mount namespace. Which is
what I believe is happening with
/systemd/...
vs
/run/systemd/......".
Unless unconfined is involved, both the ends of a socket are required to exist
in the namespace for v7/v8 unix socket mediation (what is in noble). Unconfined
is special in that it can delegate access to an open fd which is not
generically allowed atm.
If all the above is correct then you can use the
attach_disconnected.path flag to attach the accesses to disconnected
fds.
The full flags parameter to apparmor would then look like
profile example flags=(attach_disonnected
attach_disconnected.path=/run/) { ...)
and for complain mode
profile example flags=(complain attach_disonnected
attach_disconnected.path=/run/) { ...)
This of course is a less than satisfactory work around. There is work to
address the above better but none of it is in noble.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064096
Title:
Services fail to start in noble deployed with TPM+FDE
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064096/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
