[Bug 2107453] Re: apparmor profiles in install environment are not enabled

Dan Bungert 2107453 at bugs.launchpad.net
Tue Apr 22 15:46:36 UTC 2025 

** Changed in: subiquity (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subiquity in Ubuntu.
https://bugs.launchpad.net/bugs/2107453

Title:
  apparmor profiles in install environment are not enabled

Status in subiquity package in Ubuntu:
  New

Bug description:
  Hey,
  on one hand it is good, it saved us from bug 2107402 to break installation.
  It might even be intentional or snap-conceptual and therefore intentional in this environment.
  Still, I wanted to raise the difference we found to allow us to understand and if wrong fix it.

  What we found were issues in apparmor on the system and for a moment
  we wondered why that hasn't completely broken install. The difference
  we found was that the aa profiles behaved different in the install
  environment.

  1. install and final environment has PKGs apparmor (has the profile)
  and util-linux (has lsblk) installed

  From the install env:

  ```
  # ls -la /etc/apparmor.d/lsblk
  -rw-r--r-- 1 root root 1115 Apr 10 12:44 /etc/apparmor.d/lsblk

  # apt-cache policy apparmor
  apparmor:
    Installed: 4.1.0~beta5-0ubuntu14
    Candidate: 4.1.0~beta5-0ubuntu14
    Version table:
   *** 4.1.0~beta5-0ubuntu14 500
          500 http://ports.ubuntu.com/ubuntu-ports plucky/main s390x Packages
          100 /var/lib/dpkg/status
  ```

  2. aa-status is different

  install env:

  ```
  `root at ubuntu-server:/# aa-status
  apparmor module is loaded.
  14 profiles are loaded.
  6 profiles are in enforce mode.
     /snap/snapd/23776/usr/lib/snapd/snap-confine
     /snap/snapd/23776/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
     /usr/lib/snapd/snap-confine
     /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
     rsyslogd
     snap-update-ns.subiquity
  8 profiles are in complain mode.
     snap.subiquity.curtin
     snap.subiquity.hook.configure
     snap.subiquity.hook.install
     snap.subiquity.hook.post-refresh
     snap.subiquity.probert
     snap.subiquity.subiquity
     snap.subiquity.subiquity-server
     snap.subiquity.subiquity-service
  0 profiles are in prompt mode.
  0 profiles are in kill mode.
  0 profiles are in unconfined mode.
  12 processes have profiles defined.
  1 processes are in enforce mode.
     /usr/sbin/rsyslogd (1251) rsyslogd
  11 processes are in complain mode.
     /snap/subiquity/6612/usr/bin/python3.12 (1279) snap.subiquity.subiquity
     /snap/subiquity/6620/usr/bin/python3.12 (1994) snap.subiquity.subiquity
     /usr/bin/bash (2976) snap.subiquity.subiquity
     /usr/sbin/aa-status (3029) snap.subiquity.subiquity
     /usr/bin/dash (2479) snap.subiquity.subiquity-server
     /usr/bin/dash (2503) snap.subiquity.subiquity-server
     /usr/bin/dash (2554) snap.subiquity.subiquity-server
     /snap/subiquity/6620/usr/bin/python3.12 (2646) snap.subiquity.subiquity-server
     /snap/subiquity/6620/usr/bin/python3.12 (2400) snap.subiquity.subiquity-service
     /snap/subiquity/6620/usr/bin/python3.12 (2605) snap.subiquity.subiquity-service
     /snap/subiquity/6620/usr/bin/python3.12 (2606) snap.subiquity.subiquity-service
  0 processes are in prompt mode.
  0 processes are in kill mode.
  0 processes are unconfined but have a profile defined.
  0 processes are in mixed mode.
  root at ubuntu-server:/# 
  `
  ```

  full system later:

  ```
  root at p:~# aa-status
  apparmor module is loaded.
  172 profiles are loaded.
  91 profiles are in enforce mode.
     /usr/bin/man
     /usr/lib/snapd/snap-confine
     /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
     alsamixer
     babeld
     bfdd
     bgpd
     bwrap
     dnstracer
     eigrpd
     fabricd
     fusermount3
     iotop-c
     irssi
     isisd
     ldpd
     linux-boot-prober
     lsb_release
     lsblk
     lsusb
     man_filter
     man_groff
     mbsync
     mosquitto
     nc.openbsd
     nhrpd
     nvidia_modprobe
     nvidia_modprobe//kmod
     openvpn
     openvpn//ip
     openvpn//update-resolv
     os-prober
     ospf6d
     ospfd
     pathd
     pbrd
     pim6d
     pimd
     plasmashell
     plasmashell//QtWebEngineProcess
     remmina
     ripd
     ripngd
     rsyslogd
     rygel
     rygel//mx-extract
     sbuild
     sbuild-abort
     sbuild-adduser
     sbuild-apt
     sbuild-checkpackages
     sbuild-clean
     sbuild-createchroot
     sbuild-destroychroot
     sbuild-distupgrade
     sbuild-hold
     sbuild-shell
     sbuild-unhold
     sbuild-update
     sbuild-upgrade
     shell_browser
     shell_browser//sanitized_helper
     staticd
     tcpdump
     tinyproxy
     tnftp
     tnftp//cmds
     tnftp//dash
     tnftp//dash//more
     tshark
     tshark//dumpcap
     ubuntu_pro_apt_news
     ubuntu_pro_esm_cache
     ubuntu_pro_esm_cache//apt_methods
     ubuntu_pro_esm_cache//apt_methods_gpgv
     ubuntu_pro_esm_cache//cloud_id
     ubuntu_pro_esm_cache//dpkg
     ubuntu_pro_esm_cache//ps
     ubuntu_pro_esm_cache//ubuntu_distro_info
     ubuntu_pro_esm_cache_systemctl
     ubuntu_pro_esm_cache_systemd_detect_virt
     unix-chkpwd
     unpriv_bwrap
     unprivileged_userns
     vrrpd
     wg
     wg-quick
     wg-quick//ip
     wg-quick//nft
     wg-quick//sysctl
     znc
  5 profiles are in complain mode.
     Xorg
     transmission-cli
     transmission-daemon
     transmission-gtk
     transmission-qt
  0 profiles are in prompt mode.
  0 profiles are in kill mode.
  76 profiles are in unconfined mode.
     1password
     Discord
     MongoDB Compass
     QtWebEngineProcess
     balena-etcher
     brave
     buildah
     cam
     ch-checkns
     ch-run
     chrome
     chromium
     crun
     devhelp
     element-desktop
     epiphany
     evolution
     firefox
     flatpak
     foliate
     geary
     github-desktop
     goldendict
     ipa_verify
     kchmviewer
     keybase
     lc-compliance
     libcamerify
     linux-sandbox
     loupe
     lxc-attach
     lxc-create
     lxc-destroy
     lxc-execute
     lxc-stop
     lxc-unshare
     lxc-usernsexec
     mmdebstrap
     msedge
     notepadqq
     obsidian
     opam
     opera
     pageedit
     podman
     polypane
     privacybrowser
     qcam
     qmapshack
     qutebrowser
     rootlesskit
     rpm
     rssguard
     runc
     scide
     signal-desktop
     slack
     slirp4netns
     steam
     stress-ng
     surfshark
     systemd-coredump
     thunderbird
     toybox
     trinity
     tup
     tuxedo-control-center
     userbindmount
     uwsgi-core
     vdens
     virtiofsd
     vivaldi-bin
     vpnns
     vscode
     wike
     wpcom
  1 processes have profiles defined.
  1 processes are in enforce mode.
     /usr/sbin/rsyslogd (617) rsyslogd
  0 processes are in complain mode.
  0 processes are in prompt mode.
  0 processes are in kill mode.
  0 processes are unconfined but have a profile defined.
  0 processes are in mixed mode.
  ```

  
  Again, I'm not sure if it is "wrong" but I wanted to report to clarify it.
  Let us know if it is an easy answer that I missed to pick up in the past and let us know as well if instead this is "oh wow, we didn't know let us fix it"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2107453/+subscriptions

More information about the foundations-bugs mailing list