[Bug 2116974] [NEW] Extra AppArmor features in Snapd 2.70 causes snap preseed to be unoptimized

Launchpad Bug Tracker 2116974 at bugs.launchpad.net
Thu Jul 17 18:35:48 UTC 2025 

You have been subscribed to a public bug:

[SRU] 2.70: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2112209

[ Impact ]

Systems running snapd 2.70 contain additional features in seed-restart-
system-key which aren't in `livecd-rootfs` for Focal and Jammy.
Specifically, the `policy/outofband` preseed file is missing which when
performing preseeding in a LXD container. This also causes boot times to
slow down, which is a side effect and not the actual bug.

[ Test Plan ]

1. Produce error with snapd 2.70 (existing evidence is fine)
2. Switch to snapd 2.71
3. Proof the preseeding works and preseeding files are not missing.

[ Initial Investigation ]

Systems running snapd 2.70 (revision 24792) contain additional features
in seed-restart-system-key. This breaks automated tests that validate
snap pre-seeding behavior. Not every Ubuntu series is affected.

focal-2.68/apparmor-features.diff:
```
--- livecd-rootfs-apparmor-features.list	2025-06-24 16:25:52.262557956 +0200
+++ sys-kernel-security-apparmor-features.list	2025-06-24 16:25:30.719172692 +0200
@@ -31,6 +31,7 @@
 ./network_v8/
 ./network_v8/af_mask
 ./policy/
+./policy/outofband
 ./policy/set_load
 ./policy/versions/
 ./policy/versions/v5
```

The example above shows difference between AppArmor features listed in
livecd-rootfs (focal) and those present when the system boots in
/sys/kernel/security/apparmor/features on the image running snapd
2.68.4.1. My guess is that the new file in sysfs was introduced by new
kernel version.

focal-2.70/apparmor-features.diff: same as above

The image with snapd 2.70 was built with the same livecd-rootfs and is
running the same kernel as the image with snapd 2.68. There’s no
difference.

focal-2.68/system-key.diff: empty

The image with snapd 2.68 does not register the new AppArmor feature
neither `preseed-system-key` nor in `seed-restart-system-key`.

focal-2.70/system-key.diff:
```
--- preseed-system-key.json	2025-06-24 16:25:30.471168251 +0200
+++ seed-restart-system-key.json	2025-06-24 16:25:30.484168484 +0200
@@ -34,6 +34,7 @@
     "network_v8",
     "network_v8:af_mask",
     "policy",
+    "policy:outofband",
     "policy:set_load",
     "policy:versions",
     "policy:versions:v5",
```

However, the image with snapd 2.70 registers this new feature in seed-
restart-system-key.

** Affects: snapd
     Importance: Undecided
         Status: New

** Affects: livecd-rootfs (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: livecd-rootfs (Ubuntu Focal)
     Importance: Undecided
         Status: Confirmed

** Affects: livecd-rootfs (Ubuntu Jammy)
     Importance: Undecided
         Status: Confirmed

-- 
Extra AppArmor features in Snapd 2.70 causes snap preseed to be unoptimized
https://bugs.launchpad.net/bugs/2116974
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.

More information about the foundations-bugs mailing list