debcrafters-packages team mailing list archive

Thread
Date

[Bug 2120669] Re: curl apparmor profile in 25.10 blocks access to snapd socket

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Ryan Lee <2120669@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Aug 2025 15:57:38 -0000
Reply-to: Bug 2120669 <2120669@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Tags added: sec-7259

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2120669

Title:
  curl apparmor profile in 25.10 blocks access to snapd socket

Status in curl package in Ubuntu:
  New

Bug description:
  In Ubuntu 25.10 questing images, curl can no longer access the snapd
  socket as it is blocked by the apparmor profile for curl.

  For example, if I create a VM in GCP using the following command:
  $ gcloud compute instances create questing --image-project ubuntu-os-cloud-devel --image daily-ubuntu-2510-questing-amd64-v20250813

  I then see:
  $ sudo curl --request GET --unix-socket /run/snapd.socket "http://localhost/v2/model/serial?json=true";
  curl: (7) Failed to connect to localhost port 80 after 0 ms: Could not connect to server
  $ sudo dmesg | tail
  [ 1701.302096] audit: type=1400 audit(1755110651.607:254): apparmor="DENIED" operation="connect" class="file" profile="curl" name="/run/snapd.socket" pid=1508 comm="curl" requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

  Using curl to query sockets seems to me to be a standard use case that
  should be allowed by apparmor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2120669/+subscriptions

References

[Bug 2120669] [NEW] curl apparmor profile in 25.10 blocks access to snapd socket
From: Catherine Redfield, 2025-08-14