Public bug reported: Currently, AppArmor profiles are not enabled on live ISOs because of the following settings in /usr/lib/systemd/system/apparmor.service:
# Don't start this unit on the Ubuntu Live CD ConditionPathExists=!/rofs/etc/apparmor.d # Don't start this unit on the Debian Live CD when using overlayfs ConditionPathExists=!/run/live/overlay/work I'm not sure how long this has been the case, but in any event, this is somewhat problematic because it makes the live ISO experience not representative of an installed system experience. Bugs that aren't present in an installed system may be present on a live ISO (see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088, https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122675), while bugs that are present on an installed system might not be present on a live ISO (for instance, the Transmission BitTorrent client is broken on the Xubuntu 26.04 beta, but only after installation, it works fine in a live environment). This may confuse users, makes pre-release testing more difficult and less reliable, and is less secure than it could be. On a live ISO, simply removing these lines and then running `sudo systemctl daemon-reload; sudo systemctl restart apparmor.service` works, and doesn't seem to break the world, so it raises the question; *why* are we disabling most forms of AppArmor confinement on the live ISO? Can we just stop doing that? (I assume it's not that simple.) It's probably too late to do this in the 26.04 cycle, but perhaps 26.10 can be the cycle we get AppArmor running normally on live ISOs too. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Summary changed: - Enable AppArmor confinement on the live ISO + Enable AppArmor confinement on Ubuntu live ISOs ** Description changed: - Currently, AppArmor profiles are not enabled on the live ISO because of - the following settings in /usr/lib/systemd/system/apparmor.service: + Currently, AppArmor profiles are not enabled on live ISOs because of the + following settings in /usr/lib/systemd/system/apparmor.service: - # Don't start this unit on the Ubuntu Live CD - ConditionPathExists=!/rofs/etc/apparmor.d + # Don't start this unit on the Ubuntu Live CD + ConditionPathExists=!/rofs/etc/apparmor.d - # Don't start this unit on the Debian Live CD when using overlayfs - ConditionPathExists=!/run/live/overlay/work + # Don't start this unit on the Debian Live CD when using overlayfs + ConditionPathExists=!/run/live/overlay/work I'm not sure how long this has been the case, but in any event, this is somewhat problematic because it makes the live ISO experience not representative of an installed system experience. Bugs that aren't present in an installed system may be present on a live ISO (see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088, https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122675), while bugs that are present on an installed system might not be present on a live ISO (for instance, the Transmission BitTorrent client is broken on the Xubuntu 26.04 beta, but only after installation, it works fine in a live environment). This may confuse users, makes pre-release testing more difficult and less reliable, and is less secure than it could be. On a live ISO, simply removing these lines and then running `sudo systemctl daemon-reload; sudo systemctl restart apparmor.service` works, and doesn't seem to break the world, so it raises the question; *why* are we disabling most forms of AppArmor confinement on the live ISO? Can we just stop doing that? (I assume it's not that simple.) It's probably too late to do this in the 26.04 cycle, but perhaps 26.10 can be the cycle we get AppArmor running normally on live ISOs too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146939 Title: Enable AppArmor confinement on Ubuntu live ISOs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2146939/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
