[pkg-apparmor] Bug#1104603: Bug#1104603: apparmor: crun profile makes crun unusable
Jarl Gullberg
jarl.gullberg at gmail.com
Tue May 6 14:11:55 BST 2025
That's correct - it ships unconfined, but when set to complain or enforce
crun is unusable.
It's fairly common to require all installed apparmor profiles to be set as
enforcing when doing security audits / certifications (or have a damn good
documented reason why it's not), which is how I stumbled over this.
It was working in Debian 12, though saying that I'm actually not sure if a
crun profile was shipped at all in bookworm.
On Tue, 6 May 2025, 14:48 intrigeri, <intrigeri at debian.org> wrote:
> Control: tag -1 + moreinfo
>
> Hi,
>
> Jarl Gullberg (2025-05-02):
> > The AppArmor profile for crun that ships with AppArmor 4.1 in Debian 13
> is currently
> > rendering crun entirely unusable when enabled.
>
> What do you mean with "when enabled" here?
>
> I'm asking because:
>
> - This profile is intentionally shipped in unconfined mode, as
> explained in the comment on top of the file.
>
> - In this default configuration, on current sid, crun fails with
> "please specify a command", which matches what I understand is your
> desired successful status, and not the failure (where I would see
> "Failed to re-execute libcrun via memory file descriptor").
>
> If by "when enabled" you mean "when manually switched from unconfined
> to complain mode", then I think that's 1 other instance of "complain
> mode blocks stuff when it should not", which IIRC is tracked
> upstream somewhere. Other limitations include "'deny' rules will be
> enforced even in complain mode" (quoting aa-complain(8)).
>
> Cheers,
> --
> intrigeri
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20250506/05b9a59f/attachment.htm>
More information about the pkg-apparmor-team
mailing list