QRT test log attached ** Description changed:
Description/Rationale: Network interface mediation is a feature dependent on kernel support which allows restricting network access based on the interface that communication can be sent on by specifying the interface= conditional. eg. network inet interface=eth0 port=8080, If a rule does not specify the interface conditional, it does not restrict the interface that can be used. The interface conditional is limited to the inet, and inet6 address families, and currently only uses the SecMark label, this means the packet label is limited to use on host and is not carried across the network. Note that this new feature is under a new ABI, which does not affect existing policy, and can be used by customers that are intentionally trying to mediate network interface. Since that's the case, this feature has a low regression potential, since there is no change on current policy shipped by Ubuntu. While we build the package, the changes to the source code are in https://gitlab.com/georgiag/apparmor/-/commits/iface5.0-beta1?ref_type=heads - (8 patches committed Mar 19, 2026) + (5 patches committed Mar 19, 2026) -------------------------------------------------------------------------- - Test Plan: + The package has been successfully built locally and can also be accessed + as 5.0.0~beta1-0ubuntu5~ppa1 from a PPA build at + https://launchpad.net/~rlee287/+archive/ubuntu/apparmor- + staging/+packages. + + # TODO: install logs + # TODO: upgrade logs #TODO add verification that the new package: Builds, Installs, Upgrades, Does not break packages depending on it (or that corresponding updates have been prepared) -------------------- This FFe has been tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: #TODO add final test output -------------------------------------------------------------------------- Output of seeded-in-ubuntu: $ seeded-in-ubuntu apparmor apparmor (from apparmor) is seeded in: edubuntu: daily-live, daily-preinstalled kubuntu: daily-live lubuntu: daily-live ubuntu-budgie: daily-live ubuntu-core-installer: daily-live ubuntu-mate: daily-live ubuntu-server: daily-live, daily-preinstalled ubuntu-unity: daily-live ubuntu-wsl: daily-live ubuntu: daily-dangerous, daily-live, daily-preinstalled ubuntucinnamon: daily-live ubuntukylin: daily-live ubuntustudio: daily-live xubuntu: daily-live, daily-minimal apparmor-profiles (from apparmor) is seeded in: ubuntu: supported apparmor-utils (from apparmor) is seeded in: ubuntu: supported libapache2-mod-apparmor (from apparmor) is seeded in: ubuntu: supported libapparmor-dev (from apparmor) is seeded in: ubuntu: supported libapparmor1 (from apparmor) is seeded in: edubuntu: daily-live, daily-preinstalled kubuntu: daily-live lubuntu: daily-live ubuntu-budgie: daily-live ubuntu-core-installer: daily-live ubuntu-mate: daily-live ubuntu-server: daily-live, daily-preinstalled ubuntu-unity: daily-live ubuntu-wsl: daily-live ubuntu: daily-dangerous, daily-live, daily-preinstalled ubuntucinnamon: daily-live ubuntukylin: daily-live ubuntustudio: daily-live xubuntu: daily-live, daily-minimal libpam-apparmor (from apparmor) is seeded in: ubuntu: supported python3-apparmor (from apparmor) is seeded in: ubuntu: supported python3-libapparmor (from apparmor) is seeded in: ubuntu: supported ** Attachment added: "QRT test log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2144679/+attachment/5954215/+files/qrt-test-apparmor-amd64.txt ** Description changed: Description/Rationale: Network interface mediation is a feature dependent on kernel support which allows restricting network access based on the interface that communication can be sent on by specifying the interface= conditional. eg. network inet interface=eth0 port=8080, If a rule does not specify the interface conditional, it does not restrict the interface that can be used. The interface conditional is limited to the inet, and inet6 address families, and currently only uses the SecMark label, this means the packet label is limited to use on host and is not carried across the network. Note that this new feature is under a new ABI, which does not affect existing policy, and can be used by customers that are intentionally trying to mediate network interface. Since that's the case, this feature has a low regression potential, since there is no change on current policy shipped by Ubuntu. While we build the package, the changes to the source code are in https://gitlab.com/georgiag/apparmor/-/commits/iface5.0-beta1?ref_type=heads (5 patches committed Mar 19, 2026) -------------------------------------------------------------------------- The package has been successfully built locally and can also be accessed as 5.0.0~beta1-0ubuntu5~ppa1 from a PPA build at https://launchpad.net/~rlee287/+archive/ubuntu/apparmor- staging/+packages. # TODO: install logs # TODO: upgrade logs #TODO add verification that the new package: Builds, Installs, Upgrades, Does not break packages depending on it (or that corresponding updates have been prepared) -------------------- This FFe has been tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads - The final test output was: - - #TODO add final test output + The final test output is attached in a comment below. -------------------------------------------------------------------------- Output of seeded-in-ubuntu: $ seeded-in-ubuntu apparmor apparmor (from apparmor) is seeded in: edubuntu: daily-live, daily-preinstalled kubuntu: daily-live lubuntu: daily-live ubuntu-budgie: daily-live ubuntu-core-installer: daily-live ubuntu-mate: daily-live ubuntu-server: daily-live, daily-preinstalled ubuntu-unity: daily-live ubuntu-wsl: daily-live ubuntu: daily-dangerous, daily-live, daily-preinstalled ubuntucinnamon: daily-live ubuntukylin: daily-live ubuntustudio: daily-live xubuntu: daily-live, daily-minimal apparmor-profiles (from apparmor) is seeded in: ubuntu: supported apparmor-utils (from apparmor) is seeded in: ubuntu: supported libapache2-mod-apparmor (from apparmor) is seeded in: ubuntu: supported libapparmor-dev (from apparmor) is seeded in: ubuntu: supported libapparmor1 (from apparmor) is seeded in: edubuntu: daily-live, daily-preinstalled kubuntu: daily-live lubuntu: daily-live ubuntu-budgie: daily-live ubuntu-core-installer: daily-live ubuntu-mate: daily-live ubuntu-server: daily-live, daily-preinstalled ubuntu-unity: daily-live ubuntu-wsl: daily-live ubuntu: daily-dangerous, daily-live, daily-preinstalled ubuntucinnamon: daily-live ubuntukylin: daily-live ubuntustudio: daily-live xubuntu: daily-live, daily-minimal libpam-apparmor (from apparmor) is seeded in: ubuntu: supported python3-apparmor (from apparmor) is seeded in: ubuntu: supported python3-libapparmor (from apparmor) is seeded in: ubuntu: supported -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2144679 Title: FFe: add network interface mediation to 26.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2144679/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
