Thanks to Luap99 in the pasta IRC for finding a way to simply reproduce this bug. I added it to the original report.
podman unshare --rootless-netns true Furthermore Luap99 found the relevant code path that causes this: https://github.com/containers/container-libs/blob/bb257f992dfe84201d967429e4cacb6d0e454a34/common/libnetwork/internal/rootlessnetns/netns_linux.go#L115 Luap99 pointed out that 'when using the docker compat api "pasta" is not the default network mode, "bridge" is which uses the rootless-netns code path', which explains why this bug does not affect normal invocations of podman. ** Description changed: kernel: audit: type=1400 audit(1779897075.327:202): apparmor="DENIED" operation="signal" class="signal" profile="pasta" pid=4025 comm="podman" requested_mask="receive" denied_mask="receive" signal=term peer="podman" Reproduce: 0) Install Ubuntu 26.04 - 1) Enable rootless podman socket via systemctl --user - 2) Point the docker executor of a gitlab-runner to the socket + 1) podman unshare --rootless-netns true Description: Ubuntu 26.04 LTS Release: 26.04 passt: Installed: 0.0~git20260120.386b5f5-1 Candidate: 0.0~git20260120.386b5f5-1 Version table: *** 0.0~git20260120.386b5f5-1 500 podman: Installed: 5.7.0+ds2-3build1 Candidate: 5.7.0+ds2-3build1 Version table: *** 5.7.0+ds2-3build1 500 ProblemType: Bug DistroRelease: Ubuntu 26.04 Package: podman 5.7.0+ds2-3build1 ProcVersionSignature: Ubuntu 7.0.0-15.15-generic 7.0.0 Uname: Linux 7.0.0-15-generic x86_64 ApportVersion: 2.34.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown Date: Wed May 27 18:10:50 2026 ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: podman UpgradeStatus: Upgraded to resolute on 2026-05-27 (0 days ago) modified.conffile..etc.cni.net.d.87-podman-bridge.conflist: [deleted] modified.conffile..etc.containers.libpod.conf: [deleted] ** Description changed: kernel: audit: type=1400 audit(1779897075.327:202): apparmor="DENIED" operation="signal" class="signal" profile="pasta" pid=4025 comm="podman" requested_mask="receive" denied_mask="receive" signal=term peer="podman" Reproduce: 0) Install Ubuntu 26.04 - 1) podman unshare --rootless-netns true + 1) Run as a non-root user: podman unshare --rootless-netns true Description: Ubuntu 26.04 LTS Release: 26.04 passt: Installed: 0.0~git20260120.386b5f5-1 Candidate: 0.0~git20260120.386b5f5-1 Version table: *** 0.0~git20260120.386b5f5-1 500 podman: Installed: 5.7.0+ds2-3build1 Candidate: 5.7.0+ds2-3build1 Version table: *** 5.7.0+ds2-3build1 500 ProblemType: Bug DistroRelease: Ubuntu 26.04 Package: podman 5.7.0+ds2-3build1 ProcVersionSignature: Ubuntu 7.0.0-15.15-generic 7.0.0 Uname: Linux 7.0.0-15-generic x86_64 ApportVersion: 2.34.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown Date: Wed May 27 18:10:50 2026 ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: podman UpgradeStatus: Upgraded to resolute on 2026-05-27 (0 days ago) modified.conffile..etc.cni.net.d.87-podman-bridge.conflist: [deleted] modified.conffile..etc.containers.libpod.conf: [deleted] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2154379 Title: pasta is not allowed to receive signals from podman due to apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2154379/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
