Ubuntu
apparmor package

firejail AppArmor profile not compatible with AA 3.0

Bug #1899334 reported by damluk
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
firejail (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

firejail installation logs:

> Found reference to variable run, but is never declared

On system startup or "systemctl restart apparmor", this leads to a service fail:

> root@sys:~# systemctl restart apparmor
> Job for apparmor.service failed because the control process exited with error code.
> See "systemctl status apparmor.service" and "journalctl -xe" for details.

It helps to add "include <tunables/run>" to /etc/apparmor.d/firejail-default

Description: Ubuntu Groovy Gorilla (development branch)
Release: 20.10

Revision history for this message
Reiner Herrmann (deki) wrote :

That has been broken by the new AppArmor version 3.0.
It has recently been fixed upstream and will be part of the next release: https://github.com/netblue30/firejail/pull/3660

summary: - firejail breaks apparmor.service
+ firejail AppArmor profile not compatible with AA 3.0
Revision history for this message
damluk (damluk) wrote :

> It has recently been fixed upstream and will be part of the next release

You mean the next release of firejail? Will it be available before groovy release? I'm just asking because the bug affects AppArmor, and thus indirectly other software as well, and it is not obvious that firejail is the reason.

Revision history for this message
Reiner Herrmann (deki) wrote :

I've just imported the profile fix into the next Debian revision (0.9.62.4-3).
I'll try to get it into Groovy, though I'm not yet sure about the process to get it included.

Revision history for this message
Reiner Herrmann (deki) wrote :

@ubuntu-release, the recent AppArmor 3.0 update broke the firejail AppArmor profile, which no longer loads, and causes apparmor itself to not load properly.

Please sync 0.9.62.4-3 from Debian, in which the problem has been fixed by adding an additional include in firejail's AppArmor profile.
See upstream fix: https://github.com/netblue30/firejail/pull/3660/commits/bba750c73469ea315d859464ddd19e495d830a72

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firejail - 0.9.62.4-3

---------------
firejail (0.9.62.4-3) unstable; urgency=medium

  * Import compatibility fix for AppArmor 3.0. (LP: #1899334)
  * Symlink test sources to d/missing-sources so lintian can find them.

 -- Reiner Herrmann <email address hidden> Sat, 17 Oct 2020 13:41:00 +0200

Changed in firejail (Ubuntu):
status: New → Fix Released
Revision history for this message
damluk (damluk) wrote :

Thank you, can confirm that the new version got into Groovy and fixes the issue.

Reiner Herrmann (deki)
Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.