[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`
hifron
2072811 at bugs.launchpad.net
Wed Aug 14 12:57:32 UTC 2024
electron apps could be started with --no-sandbox with executableArgs =
["no-sandbox"] in build mode for AppImage or Snap
https://www.electron.build/configuration/snap.html .
It is also bug opened on electron
https://github.com/electron/electron/issues/41066 with merged patch for
detecting such issue on runtime with testing write for such namespaces
as PullRequst on Electron.
This change in Ubuntu for Electron is not new and there were some
attempts for AppImages for Electron to fix it because Debian and other
linuxes has various policies, so was also questions about it and some js
npms packages attempts https://github.com/electron-userland/electron-
builder/issues/5371.
So issue on Electron is opened and packagers could wait on new Electron
release or decide what to do... But require for each app to have own
profile is weird way to bureaucratic hell overhead of something not
deeply understood.
** Bug watch added: github.com/electron/electron/issues #41066
https://github.com/electron/electron/issues/41066
** Bug watch added: github.com/electron-userland/electron-builder/issues #5371
https://github.com/electron-userland/electron-builder/issues/5371
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2072811
Title:
Apparmor: New update broke flatpak with `apparmor="DENIED"`
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Noble:
Fix Released
Status in apparmor source package in Oracular:
Fix Released
Bug description:
The recent apparmor update appear to have broken some flatpak's ability to save file, e.g.:
- org.keepassxc.KeePassXC
- org.ksnip.ksnip
It seems update introduced a new profile ("/etc/apparmor.d/bwrap-
userns-restrict"), which is causing the issue below.
**** To reproduce ****
(I'm using KeepassXC as example, but same issue for ksnip):
1. Install and run KeepassXC
```bash
flatpak install org.keepassxc.KeePassXC
flatpak run org.keepassxc.KeePassXC
```
2. Got error: "Access error for config file
/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
Looking at `journalctl -f`, I see these apparmor DENIED entries:
```txt
Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started app-flatpak-org.keepassxc.KeePassXC-4010.scope.
Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217"
```
**** Workaround ****
For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-
restrict" profile.
```bash
sudo aa-disable /usr/bin/bwrap
```
**** Version info ****
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
$ apt-cache policy apparmor
apparmor:
Installed: 4.0.1-0ubuntu0.24.04.2
Candidate: 4.0.1-0ubuntu0.24.04.2
Version table:
*** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%)
500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
100 /var/lib/dpkg/status
4.0.0-beta3-0ubuntu3 500
500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions
More information about the Ubuntu-sponsors
mailing list