[Bug 2062929] Re: AppArmor profile policy `unconfined_restrictions` missing for jammy and mantic 6.5 kernel

Ankush Pathak 2062929 at bugs.launchpad.net
Fri Jun 28 14:49:58 UTC 2024 

Hello Andreas,

The CPC jammy and mantic fork of livecd-rootfs have been patched with the fix for this bug since 30 April 2024. Since then CPC have built and tested several images with the patched CPC livecd-rootfs fork.
As a part of our testing we run an automated test that follows the steps listed in the test plan for this bug.
Based on this I am marking the bug as verfied.

Thanks,
Ankush

** Tags removed: verification-needed verification-needed-jammy verification-needed-mantic
** Tags added: verification-done verification-done-jammy verification-done-mantic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2062929

Title:
  AppArmor profile policy `unconfined_restrictions` missing for jammy
  and mantic 6.5 kernel

Status in livecd-rootfs package in Ubuntu:
  New
Status in livecd-rootfs source package in Jammy:
  Fix Committed
Status in livecd-rootfs source package in Mantic:
  Fix Committed
Status in livecd-rootfs source package in Oracular:
  Invalid

Bug description:
  A CPC snap preseeding test failure on arm64 is blocking image pulication.
  A recent update, specifically 6.5.0.1017.17~22.04.1, to the jammy 6.5 kernel introduced a new AppArmor profile `unconfined_restrictions`. This is not reflected in the snap preseeding code and needs to be updated.

  [ Impact ]

  Boot will be slowed by ~200ms until this is resolved in livecd-rootfs

  [ Test Plan ]
  * Build a jammy and mantic cloud image with preseeded snaps with the 6.5.0 1017+ kernel
  * Boot an instance 
  * Invoke "snap debug seeding" 
  * Ensure the output does not include "seed-restart-system-key", if it does the difference between "preseed-system-key" and "apparmor-features"/"apparmor-parser-features" is other than "policy:unconfined_restrictions"

  [ Where problems could occur ]
  * If the attempted fix has problems "snap debug seeding" should continue to report "seed-restart-system-key". There should not be any other fallout.

  [  Other Info ]
  Public cloud images block image publication on a test ensuring that snaps are preseeded. As a result this bug is blocking jammy and mantic image publication.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2062929/+subscriptions

More information about the foundations-bugs mailing list