[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`
Chris Halse Rogers
2072811 at bugs.launchpad.net
Thu Aug 15 01:16:50 UTC 2024
Hello klo, or anyone else affected,
Accepted apparmor into noble-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apparmor/4.0.1really4.0.1-0ubuntu0.24.04.3
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
noble to verification-done-noble. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-noble. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: apparmor (Ubuntu Noble)
Status: Fix Released => Fix Committed
** Tags removed: verification-done verification-done-noble
** Tags added: verification-needed verification-needed-noble
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2072811
Title:
Apparmor: New update broke flatpak with `apparmor="DENIED"`
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Noble:
Fix Committed
Status in apparmor source package in Oracular:
Fix Released
Bug description:
The recent apparmor update appear to have broken some flatpak's ability to save file, e.g.:
- org.keepassxc.KeePassXC
- org.ksnip.ksnip
It seems update introduced a new profile ("/etc/apparmor.d/bwrap-
userns-restrict"), which is causing the issue below.
**** To reproduce ****
(I'm using KeepassXC as example, but same issue for ksnip):
1. Install and run KeepassXC
```bash
flatpak install org.keepassxc.KeePassXC
flatpak run org.keepassxc.KeePassXC
```
2. Got error: "Access error for config file
/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
Looking at `journalctl -f`, I see these apparmor DENIED entries:
```txt
Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started app-flatpak-org.keepassxc.KeePassXC-4010.scope.
Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217"
```
**** Workaround ****
For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-
restrict" profile.
```bash
sudo aa-disable /usr/bin/bwrap
```
**** Version info ****
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
$ apt-cache policy apparmor
apparmor:
Installed: 4.0.1-0ubuntu0.24.04.2
Candidate: 4.0.1-0ubuntu0.24.04.2
Version table:
*** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%)
500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
100 /var/lib/dpkg/status
4.0.0-beta3-0ubuntu3 500
500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions
More information about the Ubuntu-sponsors
mailing list