[Bug 2116974] Re: Extra AppArmor features in Snapd 2.70 causes snap preseed to be unoptimized
Ernest Lotter
2116974 at bugs.launchpad.net
Mon Nov 24 22:17:00 UTC 2025
This fix was not released to focal yet, because it is outside of
standard maintenance.
However, the next security release based on 2.72 will include this fix,
and is planned to be made available to focal as well.
** Changed in: livecd-rootfs (Ubuntu Focal)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2116974
Title:
Extra AppArmor features in Snapd 2.70 causes snap preseed to be
unoptimized
Status in snapd:
Fix Released
Status in livecd-rootfs package in Ubuntu:
New
Status in livecd-rootfs source package in Focal:
Fix Committed
Status in livecd-rootfs source package in Jammy:
Fix Released
Bug description:
[SRU] 2.70:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2112209
[ Impact ]
Systems running snapd 2.70 contain additional features in seed-
restart-system-key which aren't in `livecd-rootfs` for Focal and
Jammy. Specifically, the `policy/outofband` preseed file is missing
which when performing preseeding in a LXD container. This also causes
boot times to slow down, which is a side effect and not the actual
bug.
[ Test Plan ]
1. Produce error with snapd 2.70 (existing evidence is fine)
2. Switch to snapd 2.71
3. Proof the preseeding works and preseeding files are not missing.
[ Initial Investigation ]
Systems running snapd 2.70 (revision 24792) contain additional
features in seed-restart-system-key. This breaks automated tests that
validate snap pre-seeding behavior. Not every Ubuntu series is
affected.
focal-2.68/apparmor-features.diff:
```
--- livecd-rootfs-apparmor-features.list 2025-06-24 16:25:52.262557956 +0200
+++ sys-kernel-security-apparmor-features.list 2025-06-24 16:25:30.719172692 +0200
@@ -31,6 +31,7 @@
./network_v8/
./network_v8/af_mask
./policy/
+./policy/outofband
./policy/set_load
./policy/versions/
./policy/versions/v5
```
The example above shows difference between AppArmor features listed in
livecd-rootfs (focal) and those present when the system boots in
/sys/kernel/security/apparmor/features on the image running snapd
2.68.4.1. My guess is that the new file in sysfs was introduced by new
kernel version.
focal-2.70/apparmor-features.diff: same as above
The image with snapd 2.70 was built with the same livecd-rootfs and is
running the same kernel as the image with snapd 2.68. There’s no
difference.
focal-2.68/system-key.diff: empty
The image with snapd 2.68 does not register the new AppArmor feature
neither `preseed-system-key` nor in `seed-restart-system-key`.
focal-2.70/system-key.diff:
```
--- preseed-system-key.json 2025-06-24 16:25:30.471168251 +0200
+++ seed-restart-system-key.json 2025-06-24 16:25:30.484168484 +0200
@@ -34,6 +34,7 @@
"network_v8",
"network_v8:af_mask",
"policy",
+ "policy:outofband",
"policy:set_load",
"policy:versions",
"policy:versions:v5",
```
However, the image with snapd 2.70 registers this new feature in seed-
restart-system-key.
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2116974/+subscriptions
More information about the foundations-bugs
mailing list