I got in contact with the pasta maintainer. We both think this should be patched in the podman profile. There is a debian bug report about exactly this issue. https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1100135 The debian maintainers do not ship a podman profile and therefore don't have this problem.
I propose to adopt the solution mentioned in the bug report: Add a podman specific pasta profile and the corresponding transition like it was done here: https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/libvirt- qemu?ref_type=heads#L193 The podman profile is provided by https://gitlab.com/apparmor/apparmor I will create a patch and submit it to apparmor in the next few days. It would be nice if this patch would eventually be available in Ubuntu 26.04.1. Otherwise more people running gitlab-runner with a docker executer on a podman backend might encounter this problem. ** Bug watch added: Debian Bug tracker #1100135 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100135 ** Also affects: podman (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Description changed: kernel: audit: type=1400 audit(1779897075.327:202): apparmor="DENIED" operation="signal" class="signal" profile="pasta" pid=4025 comm="podman" requested_mask="receive" denied_mask="receive" signal=term peer="podman" Reproduce: 0) Install Ubuntu 26.04 - 1) Run as a non-root user: podman unshare --rootless-netns true + 1) Install podman: sudo apt install podman + 2) Run as a non-root user: podman unshare --rootless-netns true Description: Ubuntu 26.04 LTS Release: 26.04 passt: Installed: 0.0~git20260120.386b5f5-1 Candidate: 0.0~git20260120.386b5f5-1 Version table: *** 0.0~git20260120.386b5f5-1 500 podman: Installed: 5.7.0+ds2-3build1 Candidate: 5.7.0+ds2-3build1 Version table: *** 5.7.0+ds2-3build1 500 ProblemType: Bug DistroRelease: Ubuntu 26.04 Package: podman 5.7.0+ds2-3build1 ProcVersionSignature: Ubuntu 7.0.0-15.15-generic 7.0.0 Uname: Linux 7.0.0-15-generic x86_64 ApportVersion: 2.34.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown Date: Wed May 27 18:10:50 2026 ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: podman UpgradeStatus: Upgraded to resolute on 2026-05-27 (0 days ago) modified.conffile..etc.cni.net.d.87-podman-bridge.conflist: [deleted] modified.conffile..etc.containers.libpod.conf: [deleted] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2154379 Title: pasta is not allowed to receive signals from podman due to apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2154379/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
