[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`

hifron 2072811 at bugs.launchpad.net
Wed Aug 14 12:57:32 UTC 2024 

electron apps could be started with --no-sandbox with executableArgs =
["no-sandbox"] in build mode for AppImage or Snap
https://www.electron.build/configuration/snap.html .

It is also bug opened on electron
https://github.com/electron/electron/issues/41066  with merged patch for
detecting such issue on runtime with testing write for such namespaces
as PullRequst on Electron.

This change in Ubuntu for Electron is not new and there were some
attempts for AppImages for Electron to fix it because Debian and other
linuxes has various policies, so was also questions about it and some js
npms packages attempts https://github.com/electron-userland/electron-
builder/issues/5371.

So issue on Electron is opened and packagers could wait on new Electron
release or decide what to do... But require for each app to have own
profile is weird way to bureaucratic hell overhead of something not
deeply understood.

** Bug watch added: github.com/electron/electron/issues #41066
   https://github.com/electron/electron/issues/41066

** Bug watch added: github.com/electron-userland/electron-builder/issues #5371
   https://github.com/electron-userland/electron-builder/issues/5371

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2072811

Title:
  Apparmor: New update broke flatpak with `apparmor="DENIED"`

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Noble:
  Fix Released
Status in apparmor source package in Oracular:
  Fix Released

Bug description:
  The recent apparmor update appear to have broken some flatpak's ability to save file, e.g.:
  - org.keepassxc.KeePassXC
  - org.ksnip.ksnip

  It seems update introduced a new profile ("/etc/apparmor.d/bwrap-
  userns-restrict"), which is causing the issue below.

  **** To reproduce ****

  (I'm using KeepassXC as example, but same issue for ksnip):

  1. Install and run KeepassXC

  ```bash
  flatpak install org.keepassxc.KeePassXC
  flatpak run org.keepassxc.KeePassXC
  ```

  2. Got error: "Access error for config file
  /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"

  Looking at `journalctl -f`, I see these apparmor DENIED entries:

  ```txt
  Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started app-flatpak-org.keepassxc.KeePassXC-4010.scope.
  Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
  Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217"
  ```

  **** Workaround ****

  For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-
  restrict" profile.

  ```bash
  sudo aa-disable /usr/bin/bwrap
  ```

  **** Version info ****
  $ lsb_release -rd
  No LSB modules are available.
  Description:	Ubuntu 24.04 LTS
  Release:	24.04

  $ apt-cache policy apparmor
  apparmor:
    Installed: 4.0.1-0ubuntu0.24.04.2
    Candidate: 4.0.1-0ubuntu0.24.04.2
    Version table:
   *** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%)
          500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       4.0.0-beta3-0ubuntu3 500
          500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions

More information about the Ubuntu-sponsors mailing list