[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
Thank you for the quick reply, and the explanation.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
Status in apparmor package in Ubuntu:
New
Bug description:
Wike (deb package/compiled version) does not run in Ubuntu 24.04
possibly due to some interference between apparmor and webkit.
```
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in
/home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy:
Child process exited with code 1
Trace/breakpoint trap
```
A workaround is to create the file `/etc/apparmor.d/wike` with the following
contents:
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile wike /usr/bin/wike flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Then run `sudo systemctl restart apparmor.service`
This is also reported in GitHub for Wike
https://github.com/hugolabe/Wike/issues/181
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
More applications will be getting confinement, on an individual level I
don't think it will be everything from debs. In this case its because it
uses unprivileged user namespaces. Which is now being restricted and
treated as a semi-privileged because it gives access to several
privileged kernel interfaces. Those privilege kernel interfaces should
be in theory safe, but the reality is that they aren't. Unprivileged
user namespaces are the first step in almost every kernel exploit chain
for the last 7 or so years.
In pwn2own last year 4 of the 5 exploits used unprivileged user
namespaces. This year all 4 did, however if you turn the restriction on
(present in 23.10 but not enabled by default) everyone one of the
exploits are blocked. The current step is far from perfect, but we are
working on improving it.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
Status in apparmor package in Ubuntu:
New
Bug description:
Wike (deb package/compiled version) does not run in Ubuntu 24.04
possibly due to some interference between apparmor and webkit.
```
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in
/home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy:
Child process exited with code 1
Trace/breakpoint trap
```
A workaround is to create the file `/etc/apparmor.d/wike` with the following
contents:
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile wike /usr/bin/wike flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Then run `sudo systemctl restart apparmor.service`
This is also reported in GitHub for Wike
https://github.com/hugolabe/Wike/issues/181
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
In this case, Wike is installed as a deb, not snap. Why is it confined?
As far as I know, this is not how deb packages worked. Is this a very
new decision to confine all the apps even if they are installed via apt?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
Status in apparmor package in Ubuntu:
New
Bug description:
Wike (deb package/compiled version) does not run in Ubuntu 24.04
possibly due to some interference between apparmor and webkit.
```
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in
/home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy:
Child process exited with code 1
Trace/breakpoint trap
```
A workaround is to create the file `/etc/apparmor.d/wike` with the following
contents:
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile wike /usr/bin/wike flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Then run `sudo systemctl restart apparmor.service`
This is also reported in GitHub for Wike
https://github.com/hugolabe/Wike/issues/181
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
There are vague plans, yes. The time line of it has not been scoped, but
it would be something akin to what happens on macos when you try to run
a downloaded application for the first time and you have to go into
their security config to allow it.
The application will still be "confined" but it may not get its own
individual profile and share one with others the user has downloaded.
The unconfined profile's will also get developed into full profiles. The
plan is that unconfined profiles won't be a standard thing but an
exception.
Another thing going to happen in the next upload is bwrap gets its own
profile. Applications using bwrap might work through the bwrap profile.
There will still be cases where they will need their own profile, but
the bwrap profile will cover several cases that don't work today.
Applications that have already received an unconfined profile will
continue to work that way.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
Status in apparmor package in Ubuntu:
New
Bug description:
Wike (deb package/compiled version) does not run in Ubuntu 24.04
possibly due to some interference between apparmor and webkit.
```
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in
/home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy:
Child process exited with code 1
Trace/breakpoint trap
```
A workaround is to create the file `/etc/apparmor.d/wike` with the following
contents:
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile wike /usr/bin/wike flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Then run `sudo systemctl restart apparmor.service`
This is also reported in GitHub for Wike
https://github.com/hugolabe/Wike/issues/181
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
In the future, will there be some mechanism for allowing apps to run
without adding profiles for each app, like what is happening now?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
Status in apparmor package in Ubuntu:
New
Bug description:
Wike (deb package/compiled version) does not run in Ubuntu 24.04
possibly due to some interference between apparmor and webkit.
```
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in
/home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy:
Child process exited with code 1
Trace/breakpoint trap
```
A workaround is to create the file `/etc/apparmor.d/wike` with the following
contents:
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile wike /usr/bin/wike flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Then run `sudo systemctl restart apparmor.service`
This is also reported in GitHub for Wike
https://github.com/hugolabe/Wike/issues/181
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
