[Bug 2107453] [NEW] apparmor profiles in install environment are not enabled
Christian Ehrhardt
2107453 at bugs.launchpad.net
Wed Apr 16 08:48:13 UTC 2025
Public bug reported:
Hey,
on one hand it is good, it saved us from bug 2107402 to break installation.
It might even be intentional or snap-conceptual and therefore intentional in this environment.
Still, I wanted to raise the difference we found to allow us to understand and if wrong fix it.
What we found were issues in apparmor on the system and for a moment we
wondered why that hasn't completely broken install. The difference we
found was that the aa profiles behaved different in the install
environment.
1. install and final environment has PKGs apparmor (has the profile) and
util-linux (has lsblk) installed
>From the install env:
```
# ls -la /etc/apparmor.d/lsblk
-rw-r--r-- 1 root root 1115 Apr 10 12:44 /etc/apparmor.d/lsblk
# apt-cache policy apparmor
apparmor:
Installed: 4.1.0~beta5-0ubuntu14
Candidate: 4.1.0~beta5-0ubuntu14
Version table:
*** 4.1.0~beta5-0ubuntu14 500
500 http://ports.ubuntu.com/ubuntu-ports plucky/main s390x Packages
100 /var/lib/dpkg/status
```
2. aa-status is different
install env:
```
`root at ubuntu-server:/# aa-status
apparmor module is loaded.
14 profiles are loaded.
6 profiles are in enforce mode.
/snap/snapd/23776/usr/lib/snapd/snap-confine
/snap/snapd/23776/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
rsyslogd
snap-update-ns.subiquity
8 profiles are in complain mode.
snap.subiquity.curtin
snap.subiquity.hook.configure
snap.subiquity.hook.install
snap.subiquity.hook.post-refresh
snap.subiquity.probert
snap.subiquity.subiquity
snap.subiquity.subiquity-server
snap.subiquity.subiquity-service
0 profiles are in prompt mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
12 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/rsyslogd (1251) rsyslogd
11 processes are in complain mode.
/snap/subiquity/6612/usr/bin/python3.12 (1279) snap.subiquity.subiquity
/snap/subiquity/6620/usr/bin/python3.12 (1994) snap.subiquity.subiquity
/usr/bin/bash (2976) snap.subiquity.subiquity
/usr/sbin/aa-status (3029) snap.subiquity.subiquity
/usr/bin/dash (2479) snap.subiquity.subiquity-server
/usr/bin/dash (2503) snap.subiquity.subiquity-server
/usr/bin/dash (2554) snap.subiquity.subiquity-server
/snap/subiquity/6620/usr/bin/python3.12 (2646) snap.subiquity.subiquity-server
/snap/subiquity/6620/usr/bin/python3.12 (2400) snap.subiquity.subiquity-service
/snap/subiquity/6620/usr/bin/python3.12 (2605) snap.subiquity.subiquity-service
/snap/subiquity/6620/usr/bin/python3.12 (2606) snap.subiquity.subiquity-service
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
root at ubuntu-server:/#
`
```
full system later:
```
root at p:~# aa-status
apparmor module is loaded.
172 profiles are loaded.
91 profiles are in enforce mode.
/usr/bin/man
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
alsamixer
babeld
bfdd
bgpd
bwrap
dnstracer
eigrpd
fabricd
fusermount3
iotop-c
irssi
isisd
ldpd
linux-boot-prober
lsb_release
lsblk
lsusb
man_filter
man_groff
mbsync
mosquitto
nc.openbsd
nhrpd
nvidia_modprobe
nvidia_modprobe//kmod
openvpn
openvpn//ip
openvpn//update-resolv
os-prober
ospf6d
ospfd
pathd
pbrd
pim6d
pimd
plasmashell
plasmashell//QtWebEngineProcess
remmina
ripd
ripngd
rsyslogd
rygel
rygel//mx-extract
sbuild
sbuild-abort
sbuild-adduser
sbuild-apt
sbuild-checkpackages
sbuild-clean
sbuild-createchroot
sbuild-destroychroot
sbuild-distupgrade
sbuild-hold
sbuild-shell
sbuild-unhold
sbuild-update
sbuild-upgrade
shell_browser
shell_browser//sanitized_helper
staticd
tcpdump
tinyproxy
tnftp
tnftp//cmds
tnftp//dash
tnftp//dash//more
tshark
tshark//dumpcap
ubuntu_pro_apt_news
ubuntu_pro_esm_cache
ubuntu_pro_esm_cache//apt_methods
ubuntu_pro_esm_cache//apt_methods_gpgv
ubuntu_pro_esm_cache//cloud_id
ubuntu_pro_esm_cache//dpkg
ubuntu_pro_esm_cache//ps
ubuntu_pro_esm_cache//ubuntu_distro_info
ubuntu_pro_esm_cache_systemctl
ubuntu_pro_esm_cache_systemd_detect_virt
unix-chkpwd
unpriv_bwrap
unprivileged_userns
vrrpd
wg
wg-quick
wg-quick//ip
wg-quick//nft
wg-quick//sysctl
znc
5 profiles are in complain mode.
Xorg
transmission-cli
transmission-daemon
transmission-gtk
transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
76 profiles are in unconfined mode.
1password
Discord
MongoDB Compass
QtWebEngineProcess
balena-etcher
brave
buildah
cam
ch-checkns
ch-run
chrome
chromium
crun
devhelp
element-desktop
epiphany
evolution
firefox
flatpak
foliate
geary
github-desktop
goldendict
ipa_verify
kchmviewer
keybase
lc-compliance
libcamerify
linux-sandbox
loupe
lxc-attach
lxc-create
lxc-destroy
lxc-execute
lxc-stop
lxc-unshare
lxc-usernsexec
mmdebstrap
msedge
notepadqq
obsidian
opam
opera
pageedit
podman
polypane
privacybrowser
qcam
qmapshack
qutebrowser
rootlesskit
rpm
rssguard
runc
scide
signal-desktop
slack
slirp4netns
steam
stress-ng
surfshark
systemd-coredump
thunderbird
toybox
trinity
tup
tuxedo-control-center
userbindmount
uwsgi-core
vdens
virtiofsd
vivaldi-bin
vpnns
vscode
wike
wpcom
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/rsyslogd (617) rsyslogd
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
```
Again, I'm not sure if it is "wrong" but I wanted to report to clarify it.
Let us know if it is an easy answer that I missed to pick up in the past and let us know as well if instead this is "oh wow, we didn't know let us fix it"
** Affects: subiquity (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subiquity in Ubuntu.
https://bugs.launchpad.net/bugs/2107453
Title:
apparmor profiles in install environment are not enabled
Status in subiquity package in Ubuntu:
New
Bug description:
Hey,
on one hand it is good, it saved us from bug 2107402 to break installation.
It might even be intentional or snap-conceptual and therefore intentional in this environment.
Still, I wanted to raise the difference we found to allow us to understand and if wrong fix it.
What we found were issues in apparmor on the system and for a moment
we wondered why that hasn't completely broken install. The difference
we found was that the aa profiles behaved different in the install
environment.
1. install and final environment has PKGs apparmor (has the profile)
and util-linux (has lsblk) installed
From the install env:
```
# ls -la /etc/apparmor.d/lsblk
-rw-r--r-- 1 root root 1115 Apr 10 12:44 /etc/apparmor.d/lsblk
# apt-cache policy apparmor
apparmor:
Installed: 4.1.0~beta5-0ubuntu14
Candidate: 4.1.0~beta5-0ubuntu14
Version table:
*** 4.1.0~beta5-0ubuntu14 500
500 http://ports.ubuntu.com/ubuntu-ports plucky/main s390x Packages
100 /var/lib/dpkg/status
```
2. aa-status is different
install env:
```
`root at ubuntu-server:/# aa-status
apparmor module is loaded.
14 profiles are loaded.
6 profiles are in enforce mode.
/snap/snapd/23776/usr/lib/snapd/snap-confine
/snap/snapd/23776/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
rsyslogd
snap-update-ns.subiquity
8 profiles are in complain mode.
snap.subiquity.curtin
snap.subiquity.hook.configure
snap.subiquity.hook.install
snap.subiquity.hook.post-refresh
snap.subiquity.probert
snap.subiquity.subiquity
snap.subiquity.subiquity-server
snap.subiquity.subiquity-service
0 profiles are in prompt mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
12 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/rsyslogd (1251) rsyslogd
11 processes are in complain mode.
/snap/subiquity/6612/usr/bin/python3.12 (1279) snap.subiquity.subiquity
/snap/subiquity/6620/usr/bin/python3.12 (1994) snap.subiquity.subiquity
/usr/bin/bash (2976) snap.subiquity.subiquity
/usr/sbin/aa-status (3029) snap.subiquity.subiquity
/usr/bin/dash (2479) snap.subiquity.subiquity-server
/usr/bin/dash (2503) snap.subiquity.subiquity-server
/usr/bin/dash (2554) snap.subiquity.subiquity-server
/snap/subiquity/6620/usr/bin/python3.12 (2646) snap.subiquity.subiquity-server
/snap/subiquity/6620/usr/bin/python3.12 (2400) snap.subiquity.subiquity-service
/snap/subiquity/6620/usr/bin/python3.12 (2605) snap.subiquity.subiquity-service
/snap/subiquity/6620/usr/bin/python3.12 (2606) snap.subiquity.subiquity-service
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
root at ubuntu-server:/#
`
```
full system later:
```
root at p:~# aa-status
apparmor module is loaded.
172 profiles are loaded.
91 profiles are in enforce mode.
/usr/bin/man
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
alsamixer
babeld
bfdd
bgpd
bwrap
dnstracer
eigrpd
fabricd
fusermount3
iotop-c
irssi
isisd
ldpd
linux-boot-prober
lsb_release
lsblk
lsusb
man_filter
man_groff
mbsync
mosquitto
nc.openbsd
nhrpd
nvidia_modprobe
nvidia_modprobe//kmod
openvpn
openvpn//ip
openvpn//update-resolv
os-prober
ospf6d
ospfd
pathd
pbrd
pim6d
pimd
plasmashell
plasmashell//QtWebEngineProcess
remmina
ripd
ripngd
rsyslogd
rygel
rygel//mx-extract
sbuild
sbuild-abort
sbuild-adduser
sbuild-apt
sbuild-checkpackages
sbuild-clean
sbuild-createchroot
sbuild-destroychroot
sbuild-distupgrade
sbuild-hold
sbuild-shell
sbuild-unhold
sbuild-update
sbuild-upgrade
shell_browser
shell_browser//sanitized_helper
staticd
tcpdump
tinyproxy
tnftp
tnftp//cmds
tnftp//dash
tnftp//dash//more
tshark
tshark//dumpcap
ubuntu_pro_apt_news
ubuntu_pro_esm_cache
ubuntu_pro_esm_cache//apt_methods
ubuntu_pro_esm_cache//apt_methods_gpgv
ubuntu_pro_esm_cache//cloud_id
ubuntu_pro_esm_cache//dpkg
ubuntu_pro_esm_cache//ps
ubuntu_pro_esm_cache//ubuntu_distro_info
ubuntu_pro_esm_cache_systemctl
ubuntu_pro_esm_cache_systemd_detect_virt
unix-chkpwd
unpriv_bwrap
unprivileged_userns
vrrpd
wg
wg-quick
wg-quick//ip
wg-quick//nft
wg-quick//sysctl
znc
5 profiles are in complain mode.
Xorg
transmission-cli
transmission-daemon
transmission-gtk
transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
76 profiles are in unconfined mode.
1password
Discord
MongoDB Compass
QtWebEngineProcess
balena-etcher
brave
buildah
cam
ch-checkns
ch-run
chrome
chromium
crun
devhelp
element-desktop
epiphany
evolution
firefox
flatpak
foliate
geary
github-desktop
goldendict
ipa_verify
kchmviewer
keybase
lc-compliance
libcamerify
linux-sandbox
loupe
lxc-attach
lxc-create
lxc-destroy
lxc-execute
lxc-stop
lxc-unshare
lxc-usernsexec
mmdebstrap
msedge
notepadqq
obsidian
opam
opera
pageedit
podman
polypane
privacybrowser
qcam
qmapshack
qutebrowser
rootlesskit
rpm
rssguard
runc
scide
signal-desktop
slack
slirp4netns
steam
stress-ng
surfshark
systemd-coredump
thunderbird
toybox
trinity
tup
tuxedo-control-center
userbindmount
uwsgi-core
vdens
virtiofsd
vivaldi-bin
vpnns
vscode
wike
wpcom
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/rsyslogd (617) rsyslogd
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
```
Again, I'm not sure if it is "wrong" but I wanted to report to clarify it.
Let us know if it is an easy answer that I missed to pick up in the past and let us know as well if instead this is "oh wow, we didn't know let us fix it"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2107453/+subscriptions
More information about the foundations-bugs
mailing list