[Bug 2062929] Re: AppArmor profile policy `unconfined_restrictions` missing for jammy and mantic 6.5 kernel

Launchpad Bug Tracker 2062929 at bugs.launchpad.net
Fri Jul 5 09:56:21 UTC 2024 

This bug was fixed in the package livecd-rootfs - 2.765.44

---------------
livecd-rootfs (2.765.44) jammy; urgency=medium

  [ Rémy Martin ]
  * Backport support for building tegra-igx Server and Core images;
    LP: #2070070.

livecd-rootfs (2.765.43) jammy; urgency=medium

  * buildd/02-disk-image-uefi add udev early hook to satisfy grub-probe
    and grub-install. (LP: #2064175)

livecd-rootfs (2.765.42) jammy; urgency=medium

  [ Ankush Pathak ]
  * Add policy:unconfined_restrictions feature to 6.5 kernel (LP: #2062929)

 -- Philip Roche <phil.roche at canonical.com>  Thu, 27 Jun 2024 14:11:06
+0100

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2062929

Title:
  AppArmor profile policy `unconfined_restrictions` missing for jammy
  and mantic 6.5 kernel

Status in livecd-rootfs package in Ubuntu:
  New
Status in livecd-rootfs source package in Jammy:
  Fix Released
Status in livecd-rootfs source package in Mantic:
  Fix Released
Status in livecd-rootfs source package in Oracular:
  Invalid

Bug description:
  A CPC snap preseeding test failure on arm64 is blocking image pulication.
  A recent update, specifically 6.5.0.1017.17~22.04.1, to the jammy 6.5 kernel introduced a new AppArmor profile `unconfined_restrictions`. This is not reflected in the snap preseeding code and needs to be updated.

  [ Impact ]

  Boot will be slowed by ~200ms until this is resolved in livecd-rootfs

  [ Test Plan ]
  * Build a jammy and mantic cloud image with preseeded snaps with the 6.5.0 1017+ kernel
  * Boot an instance 
  * Invoke "snap debug seeding" 
  * Ensure the output does not include "seed-restart-system-key", if it does the difference between "preseed-system-key" and "apparmor-features"/"apparmor-parser-features" is other than "policy:unconfined_restrictions"

  [ Where problems could occur ]
  * If the attempted fix has problems "snap debug seeding" should continue to report "seed-restart-system-key". There should not be any other fallout.

  [  Other Info ]
  Public cloud images block image publication on a test ensuring that snaps are preseeded. As a result this bug is blocking jammy and mantic image publication.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2062929/+subscriptions

More information about the foundations-bugs mailing list