Comment 14 for bug 2064096

Does the profile have the attach_disconnected flag set?

Does the profile have the attach_disconnected flag set while in complain mode?

It looks to me that we are looking at open file descriptors that exist out of the current namespace. This will result in a partial unattached path that will not be allowed in complain mode. The denied path will not start with /.

If the attach_disconnected flag is add, that will attach the disconnected path to the root of the current mount namespace. Which is what I believe is happening with

  /systemd/...
vs
  /run/systemd/......".

Unless unconfined is involved, both the ends of a socket are required to exist in the namespace for v7/v8 unix socket mediation (what is in noble). Unconfined is special in that it can delegate access to an open fd which is not generically allowed atm.

If all the above is correct then you can use the attach_disconnected.path flag to attach the accesses to disconnected fds.

The full flags parameter to apparmor would then look like

  profile example flags=(attach_disonnected attach_disconnected.path=/run/) { ...)

and for complain mode

  profile example flags=(complain attach_disonnected attach_disconnected.path=/run/) { ...)

This of course is a less than satisfactory work around. There is work to address the above better but none of it is in noble.