I am also just wondering how we can effectively work on sandbox-related
code on 24.04 ; does it means any developper (and potentially CI) will
have to setup its AppArmor profile **also** matching the builds to have
proper userns ? The way it is currently handled, I dont see any other
way around,
Yes for the appimages that are affected they should be reported
upstream. There are some things that upstream can do to make appimages
work under the restriction, ideally they would do it dynamically based
on whether the user namespace is available than just based on distro
which is the quick fix
Yep, this is fine. I just wanted to make it clear for others, because
one of the comment above might be misleading and even though I know the
area of the code impacted by userns, I was actually thinking you got a
fix landed on AppArmor side to avoid the need for a dedicated profile.
AppImage
The AppArmor profile covers the packaged version and the standard
privileged install location. You are correct that it does not cover
running firefox from an unprivileged user writable location like $HOME.
For unprivileged user writable locations like $HOME/bin/ the user has to
deliberately make
I have just upgraded to 24.04 from 23.10 and I'd like to emphasize that
for the Firefox case, the comments on that thread mentions "AppArmor
should fix it with beta3" is inaccurate and incomplete: it only
partially fixes the issue since it only covers packaged versions.
Anybody relying on the
@jorge-lavila:
technically possible yes. I want to be careful with what I promise here,
as the user experience is not my area. With that said we are currently
looking at using aa-notify as a bridge to improve the user experience.
We would install it with a filter to only fire a notification for
Thanks for the detailed reply @jjohansen,
Do you think it would be feasible to spawn a pop-up that says something
like "This application uses namespaces which is considered vulnerable to
exploits, are you sure you want to continue?" and ask for the password
to allow the application to run. This
@zgraft:
I have added a tor item, a profile will land in an update.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions
@jorge-lavila,
Its not a theoretical case, they have been used by multiple exploits
every year (including this one) since landing in the kernel. Ubuntu is
not the only ones looking at restricting them. SELinux has also picked
up the ability but they haven't really rolled it out in policy, there
Thanks for the reply!
My use case is this one 'shipped as a .tar.gz that people unpack into
their home dir and then use'. To me it seems counter-intuitive to force
applications to run un-sanboxed for added security; both the solutions
proposed (with the application profile and to turn off the
Also note that even the system's build of Bubblewrap is not granted the
ability to bypass user namespace restrictions as that would allow the
restrictions to be bypassed by any application. Doing this to your own
build of Bubblewrap will pose the same security issue. If you can avoid
doing things
Unless your app and Bubblewrap can both work without any capabilities in
an unprivileged user namespace, things will probably go south. You
should probably be installing an AppArmor profile for your app that
allows you to use unprivileged user namespaces normally again, as
described in Comment 5
Hello,
Pardon my ignorance, but I ship applications with my own build of
bubblewrap to run in a sandboxed manner. bwrap's pivot_root allows my
application to work across several distros without worrying about issues
with missing or incompatible libraries; it also makes possible to run
the same
The Tor Browser is actually installable on Ubuntu, and we have
privacy-conscious folks here who are Ubuntu Developers. We just were
absolutely slammed in more ways than we imagined would happen this
cycle and things slipped through the cracks. This is probably one of
them.
You can follow the
Probably not in scope but the Tor Browser also fails to start properly:
https://forum.torproject.org/t/ubuntu-24-04-daily-and-tor-tabs-crashing-
immediately/11822/7. I can see why Ubuntu might not want to allow such
programs but, a universal distribution should be cognizant that some of
its users
For the thunderbird issue I have created
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor
@u-jjohansen:
```
$ sudo dmesg | grep DENIED
[ 20.729222] audit: type=1400 audit(1714359674.872:42): apparmor="DENIED"
operation="open" class="file" profile="snap-update-ns.firefox"
name="/usr/local/share/" pid=2002 comm="6" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
[ 20.743227]
@u-dal:
the problem with firefox (it has a snap profile and is allowed access to
user namespaces) is different than with chrome (no profile loaded), but
still might be apparmor related. Can you look in dmesg for apparmor
denials
```
sudo dmesg | grep DENIED
```
--
You received this bug
@u-jjohansen:
Also, I'm having this Thunderbird problem going on simultaneously --
https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
but-is-not-responding-message/39990 -- which might be related to the
issues from my Chrome comments?
--
You received this bug notification
@u-jjohansen:
Yes, live environment only. Sorry, I thought I'd included that in my
first comment but now I see that I neglected to do so. I added an EDIT:
to my first comment to make it clear.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is
@u-dal:
are you running in a live cd environment? Something odd is happening on your
system, with some profiles loaded and systemctl reporting
ConditionPathExists=!/rofs/etc/apparmor.d
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to
@jjohansen:
```
$ sudo aa-status
apparmor module is loaded.
56 profiles are loaded.
54 profiles are in enforce mode.
/snap/snapd/21465/usr/lib/snapd/snap-confine
/snap/snapd/21465/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/lib/snapd/snap-confine
@u-dal:
This sounds like the apparmor policy is not being loaded can you please
provide the output of
```
sudo aa-status
```
and
```
sudo systemctl status apparmor
```
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in
I seem to have the same apparmor problem with Chrome under Lubuntu
24.04. From "$ journalctl | grep apparmor | grep chrome" I got
info="Userns create restricted - failed to find unprivileged_userns
profile" (among other things). And it's been reproduced by another as
the following relates.
Can
** Also affects: guix (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues,
1.19.16 installs fine and runs, but in a degraded sandbox mode. So
adding a profile for it would be beneficial
The appimage version of Belena Etcher unfortunately fails to run. We can not
provide a default profile for the
The Wike fix is coming in the next SRU.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
I had no problem running Balena Etcher on Ubuntu 24.04 LTS.
Do you have the latest version of Etcher?
1.19.16
https://github.com/balena-io/etcher/blob/master/CHANGELOG.md
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in
Can we manually add support for Balena Etcher, just like VS Code? Etcher
is used by hundreds of thousands of users.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1212
** Changed in: wike (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
https://gitlab.com/apparmor/apparmor/-/merge_requests/1209
** Also affects: wike (Ubuntu)
Importance: Undecided
Status: New
** Also affects: foliate (Ubuntu)
Importance: Undecided
Status: New
** Changed in: foliate (Ubuntu)
Status: New => Fix Committed
--
You
** Changed in: wike
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many
** Bug watch added: github.com/hugolabe/Wike/issues #181
https://github.com/hugolabe/Wike/issues/181
** Also affects: wike via
https://github.com/hugolabe/Wike/issues/181
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
@arraybolt3: Answer to your question. bwrap requires capabilities within
the user namespace. unshare is a little more forgiving in that what it
requires depends on the options passed but most of the options also
require capabilities within the user namespace.
The potential solution I mention is
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined
profile, as that allows for an arbitrary by-pass of the restriction.
There is a potential solution in the works that will allow for bwrap and
unshare to function as long as the child task does not require
permissions but at
I believe bwrap was ignored intentionally, as the point of the apparmor
change was to prevent arbitrary apps from making unprivileged user
namespaces with capabilities. Allowing Bubblewrap to do so would provide
a loophole. Same reason `unshare` isn't allowed to make unprivileged
namespaces with
Hi - ok - very long thread so not quite sure how best to resolve.
I note bubblewrap is marked as confirmed but no resolution.
For budgie-control-center - backgrounds - Add Picture I found that the
gnome-desktop library libgnome-desktop-3-20 is calling bwrap and that
this was failing due to
We have an update of the firefox profile coming that supports the
/opt/firefox/firefox location used as the default install for the
firefox downloaded directly from mozilla.org
If you are running firefox out of your home directory, that will not be
directly supported and you will need to chose to
@coeur-noir:
Are you installing firefox to /opt/ as recommended or using it local in
your user account?
as for bwarp, maybe it is known to be problematic. It is allowed to run and to
create a user namespace but it is denied all capabilities within the namespace.
Can you run
sudo dmesg |
Ubuntu 24.04 installed today.
Firefox autonomous archive downloaded from
https://www.mozilla.org/fr/firefox/all/#product-desktop-release
And « ooops… » in any tab,
terminal says :
[Parent 5931, IPC I/O Parent] WARNING: process 6020 exited on signal 11: file
loupe problem solved with apparmor 4.0.0-beta3-0ubuntu2
https://bugs.launchpad.net/ubuntu/+source/loupe/+bug/2054142
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
@ajg-charlbury: no apparmor beta3 has not landed in proposed yet, we are
working on the upload now. firefox separately have added a bug fix that
will detect when the user namespace/capabilities are denied and fallback
without crashing but it disables the full sandbox.
the apparmor-beta3 fix
I have just tried running firefox from the firefox-nightly download and all
runs well using that version
125.0a1 (2024-03-17) (64-bit).
I assume the beta3 you speak of is the new version of apparmor; is that
the same version as the current apparmor-proposed version?
--
You received this bug
@ajg-charlbury: yes, firefox we are well aware of the problem, the
firefox profile has been tweaked for beta3 (landing this week) so that
it should work with the new deb.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in
I have seen the problem with firefox tabs crashing in the .deb installation
and when running direct from the downloaded .tar.bz from Mozilla.
Firefox opens but tabs show error saying "Tab crashed"
This has forced me to use the snap version which works fine though I prefer not
to use snaps at
@arraybolt3: qutebrowser should be fixed in beta3
** Changed in: qutebrowser (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: qmapshack (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: notepadqq (Ubuntu)
Assignee:
@kc2bez: qmapshack should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
@kc2bez: I have been able to verify that privacybrowser is not working.
However it is not due to the apparmor user namespace restrictions.
I get the following segfault out of dmesg
[ 1591.466016] privacybrowser[7743]: segfault at 8 ip 70bb4dd11ccc sp
7ffd5c6587e0 error 4 in
@kc2bez: pageedit should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
@kc2bez: notepadqq should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
@kc2bez:
there are no updated deb packages in the ppa for kiwix.
the kiwix appimage worked for me.
kiwix flatpak worked for me.
I am not sure what you were seeing. But I we are going to need more
information.
** Changed in: kiwix (Ubuntu)
Status: Confirmed => Incomplete
--
You
hi @vvaleryan-24,
I have been able to replicate the crash you are seeing but it is not do
to the user namespace restriction. The restrictions logging does not
happen, and I can put it in an unconfined profile and it still doesn't
help. From dmesg I find the following segfault
[79854.520976]
Georgia,
RE: tuxedo-control-center
That works perfectly.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many
Hi, for Gnome-packagekit it's related to this behavior :
https://bugs.launchpad.net/ubuntu/+source/gnome-packagekit/+bug/2046843
I run Ubuntu development branch 24.04 and I have a problem with Gnome
PackageKit 43.0-2 : application launches well, but if I write a program
/ package name in the
this will be fixed in Beta
** Changed in: kchmviewer (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: rssguard (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: supercollider (Ubuntu)
Assignee: (unassigned) => John Johansen
sorry this won't be fixed in Beta3 that note was for goldendict
** Changed in: gnome-packagekit (Ubuntu)
Assignee: John Johansen (jjohansen) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
Will be fixed in Beta3
** Changed in: goldendict-webengine (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
we will be fixed in Beta3
** Changed in: gnome-packagekit (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
I have tested gnome-packagekit and it never trigger unprivileged user
namespace mediation. Can you please provide more information on how you
triggered it.
** Changed in: gnome-packagekit (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a
** Changed in: loupe (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: geary (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: firefox (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
--
You received this bug
supercollider will work on current noble. Since it is using QTWebEngine
it has a graceful fallback when capabilities within the user namespace
are denied.
supercollider will have a profile and be fixed in Beta3, so it doesn't
even have to do the fallback.
--
You received this bug notification
I have tried freecad and unprivileged user namespace restrictions are
not the problem. freecad snap works, freecad ppa does not have a noble
build yet but the mantic build can be made to work.
freecad daily appimage: works
freecad appimage: stable fails with mesa or qt errors depending on
@sudipmuk loupe should be fixed in Beta3
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
@eeickmeyer geary should be fixed in Beta3
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
@guyster, @eldmannen+launchpad, @valeryan-24
Firefox dailies now have a work around, by detecting and disabling the
user namespace. The proper fix that should allow firefox to still use
the user namespace for its sandbox will land in Beta3, landing early
next week.
--
You received this bug
Erich Eickmeyer, I don't have a Tuxedo Computer to test, so could you
please check if the following profile works for you?
$ echo "# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile
@valeryan-24 ModuleNotFoundError: No module named 'imp'" says that your
Gpodder issue is not related to this bug. You are missing a dependency
the 'imp' module. If Gpodder is packaged it will need to add that as
part of its install dependencies.
--
You received this bug notification because you
Fix released for Firrefox (Nightly) 125.
Since a few days, I can't launch Gpodder (podcast program) anymore, is it also
related to this bug or is it something different ?
"[gpodder.log] ERROR: Uncaught exception: Traceback (most recent call last):
File "/usr/bin/gpodder", line 181, in
** Changed in: steam (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation
Before I saw your post about the environment variable, I edited the
profile in /etc/apparmor.d/firefox to reflect /opt/firefox. If I launch
from a mate desktop icon, or from the menu, all is well. If I click on a
link, from say an email, I get the tab crashed bug again. Is there a way
to work
A workaround is to set the environment variable MOZ_ASSUME_USER_NS=0.
You can run it as:
env MOZ_ASSUME_USER_NS=0 /home/bob/Downloads/firefox/firefox
--name=firefox-nightly %u
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp
I have read in a couple other pages that I can edit
/etc/apparmor.d/firefox. Since I'm using version 124 beta 9, and my
firefox is installed in /opt/firefox, do I just adjust the path in that
file to make it work? Thanks much in advance for the help.
--
You received this bug notification because
I am seeing this also, as of updating all packages, about fifteen
minutes ago. Is there a definite fix released? This doesn't mean we have
to resort to using firefox from snap, right?
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to
I reported the bug upstream for Firefox - if you have a Bugzilla account
on Mozilla and are affected, you could confirm it please :
https://bugzilla.mozilla.org/show_bug.cgi?id=1884347
** Bug watch added: Mozilla Bugzilla #1884347
https://bugzilla.mozilla.org/show_bug.cgi?id=1884347
--
You
** Also affects: loupe (Ubuntu)
Importance: Undecided
Status: New
** Changed in: loupe (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
** Also affects: apparmor
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions
Yes, since today's updates, Firefox Nightly 125.0a1 from Mozilla
repositery which worked very fined until now, stopped : program still
well starts, but every tab gets a crash error and doesn't laod the page
(even the start about:blank one)…
--
You received this bug notification because you are a
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: firefox (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
@scarlet I think it is fair to mark these as Fixed released as they are
part of apparmor-alpha4 that is in noble.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
This is part of the apparmor alpha4 release in noble
** Changed in: plasma-desktop (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
This is part of the alpha4 release in noble
** Changed in: kdeplasma-addons (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
I am seeing this with the (relatively new) Mozilla-provided Firefox deb
package (https://support.mozilla.org/en-US/kb/install-firefox-
linux#w_install-firefox-deb-package-for-debian-based-distributions).
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which
** Also affects: firefox (Ubuntu)
Importance: Undecided
Status: New
** Changed in: firefox (Ubuntu)
Milestone: None => ubuntu-24.04
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
I've experienced this
(https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/2056190) in
Kubuntu 24.04:
- related to Firefox and Firefox-based browsers (Waterfox, Librewolf,
Midori, Floorp, Mullvad) installed from deb, running locally
("portable"), or as appimage, while flatpak and snap versions
plasma-desktop and kdeplasma-addons are in the main apparmor package and
fixed. Is it ok to make those are fix-released?
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Also would like to note that tuxedo-control-center, a third-party
Electron app for Tuxedo Computers, is affected by this.
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Geary is seeded in Edubuntu as its main email client, so this is
definitely something we'd like fixed.
** Also affects: geary (Ubuntu)
Importance: Undecided
Status: New
** Changed in: geary (Ubuntu)
Status: New => Confirmed
** Changed in: geary (Ubuntu)
Importance: Undecided
** Changed in: angelfish (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation
We had a mitigation for this in glibc but the latest change from simply
denying the unshare() call to allowing it but then denying anything
requiring capabilities *presumably* broke the glibc test suite again.
I'm only basing this from looking at the test logs, as I'm temporarily
unable to run
This bug was fixed in the package ghostwriter - 23.08.5+ds-0ubuntu1
---
ghostwriter (23.08.5+ds-0ubuntu1) noble; urgency=medium
* New upstream release (23.08.5)
ghostwriter (23.08.4+ds-0ubuntu2) noble; urgency=medium
* Add apparmor profile to fix userns. (LP: #2046844)
--
** Merge proposal linked:
https://code.launchpad.net/~p-pisati/britney/+git/hints-ubuntu/+merge/461043
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor
This bug was fixed in the package kgeotag - 1.5.0-1ubuntu1
---
kgeotag (1.5.0-1ubuntu1) noble; urgency=medium
* Add apparmor profile to fix userns. Ref: (LP: #2046844)
-- Scarlett Moore Thu, 15 Feb 2024 00:06:50 -0700
** Changed in: kgeotag (Ubuntu)
Status: In Progress
This bug was fixed in the package akonadiconsole - 4:23.08.5-0ubuntu2
---
akonadiconsole (4:23.08.5-0ubuntu2) noble; urgency=medium
* Add apparmor profile to fix userns. Ref: (LP: #2046844)
-- Scarlett Moore Sun, 25 Feb 2024 01:25:04 -0700
** Changed in: akonadiconsole
This bug was fixed in the package plasma-welcome - 5.27.10-1ubuntu1
---
plasma-welcome (5.27.10-1ubuntu1) noble; urgency=low
[ Ubuntu Merge-o-Matic ]
* Merge from Debian unstable. Remaining changes:
- Kubuntu Vcs and maintainer fields.
[ Scarlett Moore ]
* Add apparmor
** Changed in: devhelp (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: devhelp (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: epiphany-browser (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: epiphany-browser (Ubuntu)
** Changed in: ghostwriter (Ubuntu)
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation
** Also affects: akonadiconsole (Ubuntu)
Importance: Undecided
Status: New
** Changed in: akonadiconsole (Ubuntu)
Importance: Undecided => High
** Changed in: akonadiconsole (Ubuntu)
Status: New => In Progress
** Changed in: akonadiconsole (Ubuntu)
Milestone: None =>
This bug was fixed in the package apparmor - 4.0.0~alpha4-0ubuntu1
---
apparmor (4.0.0~alpha4-0ubuntu1) noble; urgency=medium
[Georgia Garcia]
* New upstream release.
* Add unconfined profiles to support the use unprivileged user namespace
(LP: #2052297, LP: #2046844)
-
** Changed in: steam (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to devhelp in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions
So appimages are interesting. They don't all need a profile. I have run
several that are not using user namespaces, or only need to be able to
create the user namespace and don't need capabilities so the default
unpriviled_userns profile works for them.
It is applications that need privileges
1 - 100 of 151 matches
Mail list logo