Ok, we found a reproducer:
sudo dpkg --add-architecture i386
Then either command will trigger the DENIED:
sudo aa-exec -p ubuntu_pro_esm_cache//dpkg dpkg --print-foreign-architecture sudo aa-exec -p ubuntu_pro_esm_cache apt-cache policy
Just the presence of /var/lib/dpkg/arch will trigger it, even if it's empty. If the file does not exist, then there is no apparmor DENIED.
We will apply your patch.
Ok, we found a reproducer:
sudo dpkg --add-architecture i386
Then either command will trigger the DENIED:
sudo aa-exec -p ubuntu_ pro_esm_ cache// dpkg dpkg --print- foreign- architecture pro_esm_ cache apt-cache policy
sudo aa-exec -p ubuntu_
Just the presence of /var/lib/dpkg/arch will trigger it, even if it's empty. If the file does not exist, then there is no apparmor DENIED.
We will apply your patch.