[pkg-apparmor] Bug#1104603: Bug#1104603: apparmor: crun profile makes crun unusable
intrigeri
intrigeri at debian.org
Tue May 6 13:48:46 BST 2025
Control: tag -1 + moreinfo
Hi,
Jarl Gullberg (2025-05-02):
> The AppArmor profile for crun that ships with AppArmor 4.1 in Debian 13 is currently
> rendering crun entirely unusable when enabled.
What do you mean with "when enabled" here?
I'm asking because:
- This profile is intentionally shipped in unconfined mode, as
explained in the comment on top of the file.
- In this default configuration, on current sid, crun fails with
"please specify a command", which matches what I understand is your
desired successful status, and not the failure (where I would see
"Failed to re-execute libcrun via memory file descriptor").
If by "when enabled" you mean "when manually switched from unconfined
to complain mode", then I think that's 1 other instance of "complain
mode blocks stuff when it should not", which IIRC is tracked
upstream somewhere. Other limitations include "'deny' rules will be
enforced even in complain mode" (quoting aa-complain(8)).
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list