For the thunderbird issue I have created
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user
@u-dal:
the problem with firefox (it has a snap profile and is allowed access to
user namespaces) is different than with chrome (no profile loaded), but
still might be apparmor related. Can you look in dmesg for apparmor
denials
```
sudo dmesg | grep DENIED
```
--
You received this bug
@u-dal:
are you running in a live cd environment? Something odd is happening on your
system, with some profiles loaded and systemctl reporting
ConditionPathExists=!/rofs/etc/apparmor.d
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
@u-dal:
This sounds like the apparmor policy is not being loaded can you please
provide the output of
```
sudo aa-status
```
and
```
sudo systemctl status apparmor
```
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues,
1.19.16 installs fine and runs, but in a degraded sandbox mode. So
adding a profile for it would be beneficial
The appimage version of Belena Etcher unfortunately fails to run. We can not
provide a default profile for the
The Wike fix is coming in the next SRU.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined
profile, as that allows for an arbitrary by-pass of the restriction.
There is a potential solution in the works that will allow for bwrap and
unshare to function as long as the child task does not require
permissions but at
@arraybolt3: Answer to your question. bwrap requires capabilities within
the user namespace. unshare is a little more forgiving in that what it
requires depends on the options passed but most of the options also
require capabilities within the user namespace.
The potential solution I mention is
We have an update of the firefox profile coming that supports the
/opt/firefox/firefox location used as the default install for the
firefox downloaded directly from mozilla.org
If you are running firefox out of your home directory, that will not be
directly supported and you will need to chose to
@coeur-noir:
Are you installing firefox to /opt/ as recommended or using it local in
your user account?
as for bwarp, maybe it is known to be problematic. It is allowed to run and to
create a user namespace but it is denied all capabilities within the namespace.
Can you run
sudo dmesg |
@ajg-charlbury: no apparmor beta3 has not landed in proposed yet, we are
working on the upload now. firefox separately have added a bug fix that
will detect when the user namespace/capabilities are denied and fallback
without crashing but it disables the full sandbox.
the apparmor-beta3 fix
@ajg-charlbury: yes, firefox we are well aware of the problem, the
firefox profile has been tweaked for beta3 (landing this week) so that
it should work with the new deb.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
@arraybolt3: qutebrowser should be fixed in beta3
** Changed in: qutebrowser (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: qmapshack (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: notepadqq (Ubuntu)
Assignee: (unas
@kc2bez: qmapshack should be fixed in beta3
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
@kc2bez: I have been able to verify that privacybrowser is not working.
However it is not due to the apparmor user namespace restrictions.
I get the following segfault out of dmesg
[ 1591.466016] privacybrowser[7743]: segfault at 8 ip 70bb4dd11ccc sp
7ffd5c6587e0 error 4 in
@kc2bez: pageedit should be fixed in beta3
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
@kc2bez: notepadqq should be fixed in beta3
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
@kc2bez:
there are no updated deb packages in the ppa for kiwix.
the kiwix appimage worked for me.
kiwix flatpak worked for me.
I am not sure what you were seeing. But I we are going to need more
information.
** Changed in: kiwix (Ubuntu)
Status: Confirmed => Incomplete
--
You
hi @vvaleryan-24,
I have been able to replicate the crash you are seeing but it is not do
to the user namespace restriction. The restrictions logging does not
happen, and I can put it in an unconfined profile and it still doesn't
help. From dmesg I find the following segfault
[79854.520976]
this will be fixed in Beta
** Changed in: kchmviewer (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: rssguard (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: supercollider (Ubuntu)
Assignee: (unassigned) => John
sorry this won't be fixed in Beta3 that note was for goldendict
** Changed in: gnome-packagekit (Ubuntu)
Assignee: John Johansen (jjohansen) => (unassigned)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
ht
Will be fixed in Beta3
** Changed in: goldendict-webengine (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046
we will be fixed in Beta3
** Changed in: gnome-packagekit (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046
I have tested gnome-packagekit and it never trigger unprivileged user
namespace mediation. Can you please provide more information on how you
triggered it.
** Changed in: gnome-packagekit (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a
** Changed in: loupe (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: geary (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: firefox (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
--
You received this bug
supercollider will work on current noble. Since it is using QTWebEngine
it has a graceful fallback when capabilities within the user namespace
are denied.
supercollider will have a profile and be fixed in Beta3, so it doesn't
even have to do the fallback.
--
You received this bug notification
I have tried freecad and unprivileged user namespace restrictions are
not the problem. freecad snap works, freecad ppa does not have a noble
build yet but the mantic build can be made to work.
freecad daily appimage: works
freecad appimage: stable fails with mesa or qt errors depending on
@sudipmuk loupe should be fixed in Beta3
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
@eeickmeyer geary should be fixed in Beta3
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to
@guyster, @eldmannen+launchpad, @valeryan-24
Firefox dailies now have a work around, by detecting and disabling the
user namespace. The proper fix that should allow firefox to still use
the user namespace for its sandbox will land in Beta3, landing early
next week.
--
You received this bug
** Changed in: nautilus (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to nautilus in Ubuntu.
https://bugs.launchpad.net/bugs/2047256
Title:
Ubuntu 24.04 Some image thumbnails no longer
@valeryan-24 ModuleNotFoundError: No module named 'imp'" says that your
Gpodder issue is not related to this bug. You are missing a dependency
the 'imp' module. If Gpodder is packaged it will need to add that as
part of its install dependencies.
--
You received this bug notification because you
** Changed in: steam (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions
This is part of the apparmor alpha4 release in noble
** Changed in: plasma-desktop (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
@scarlet I think it is fair to mark these as Fixed released as they are
part of apparmor-alpha4 that is in noble.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
This is part of the alpha4 release in noble
** Changed in: kdeplasma-addons (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
** Changed in: steam (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to bubblewrap in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions
So appimages are interesting. They don't all need a profile. I have run
several that are not using user namespaces, or only need to be able to
create the user namespace and don't need capabilities so the default
unpriviled_userns profile works for them.
It is applications that need privileges
Erich,
yes the archive version is based on the ppa, with a couple small fixes
in the packaging. The ppa is going to get updated based the new archive
version + a few more patches.
Do you have some higher priority electron apps that you can point us at.
We will look into the Visual Studo and
One more addition, the current state of how unconfined deals with
unprivileged user namespaces is a temporary limitation. The afore
mentioned improvement will allow for more customization at the policy
level. The current fixed behavior will be the default.
--
You received this bug notification
So the answer is it depends on how they are using unprivileged user
namespaces and how they react to them being denied, not every
application needs to patched separately.
Generally speaking gnome has been better tested than KDE had because
gnome being the Ubuntu default saw a lot more opt in
We have found that allowing the user namespace creation, and then
denying capabilities is in general handled much better by KDE. The the
case of the plasmashell and the browswer widget denying the creation of
the user namespace would cause a crash with a SIGTRAP backtrace, where
allowing the
Sorry for the delay on this, we had some bugs to chase down. The
following PPA has an update to how user namespace mediation is being
handled. For the unconfined case there are two options
1. If the unprivileged_userns profile does not exist, unprivileged user
namespace creation is denied as
So there is not enough information to determine whether apparmor was
involved, as it is only one source of permissions being denied. Seccomp,
namespacing, etc can all result in permissions being denied.
grepping the kernel logs for DENIED would be the best way to check if
there is an associated
This is not a disconnect between the capability framework (which is
integrated into the LSM), nor the devs who implemented AppArmor.
Calls to capable() can have side effects, it is an LSM hook and linux
capabilities are implemented as an LSM module that is stacked with the
other LSMs. So if an
@georgiag we could move the abstraction include to "include if exists"
to take care of the depends. Generally speaking evince shouldn't depend
on apparmor, but of course make use of it if it is available.
--
You received this bug notification because you are a member of Desktop
Packages, which
Jammy has not had any changes to the apparmor packages.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1955434
Title:
Driverless printing detection does not work
Status in apparmor
If its just log flooding then denying access would get rid of the
logging without adding extra permissions. ie.
deny owner @{PROC}/@{pid}/mem r,
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
I pulled the evince source and there does not appear to be any direct
support for portals, and sandbox support is an untasked item on their
roadmap. However it still may be possible via the gnome libs, or via
dlopen. Those routes would need to be further investigated.
--
You received this bug
Where/what file are you adding net_admin caps too? I would not expect
modifying the cups profile to affect the default media player.
Can you look for apparmor="DENIED" messages in your log?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed
On 10/25/20 5:15 AM, baptx wrote:
> I got it working by adding the 2 lines at the end of the
> /etc/apparmor.d/usr.bin.firefox just before the closing brack "}".
> Without these lines, I had to use another workaround by disabling
> Apparmor completely on Firefox with a command like "sudo
can you look in dmesg or kern.log for the actual apparmor denial?
> I have absolutely no idea what "ixr"
allow r (read) permission
allow ix == on eXecute inherit the current profile
an exec permission can specify different options that should be taken,
inherit the current profile, transition to
I can not speak to specifics but there are a lot of potential reason's a
packager (not firefox specific) might not be updating the profile.
- They don't use the profile / or maybe apparmor. (package
maintainership evolves and not everyone who might even be aware of it
without digging in)
- The
I should further note that this needs kernel patches to be fixed.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1861408
Title:
firefox apparmor messages
Status in apparmor package
Firefox uses cap sys_admin to set up its sandbox, which is extremely
unfortunate but required on linux to be able to set up the
user_namespace, do the chroot etc. Current the LSM and user namespaces
don't interact as well as they should.
AppArmor can NOT properly determine the policy namespace
possibly. There isn't actually enough information in that bug to be sure
if it is an actual namespacing issue or it is a separate bug to do with
unix domain sockets.
Unfortunately the workaround of attach_disconnect is still required to
deal with these issues.
--
You received this bug
Correct.
There are actually several ways to get disconnected paths and this
specific one is being caused by the new file ns. The proper fix for this
is delegating access to the object that would not normally be
accessible, however delegation is not available in the current releases
of apparmor
writing to the journal socket should be added to an abstraction the same
as writing to /dev/log
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in
2) new kernel and old userspace
This is currently better tested than 3, but of course needs to be done
again with any changes made to the kernel.
Also note that the regression tests been improved and expanded for all
three cases
--
You received this bug notification because you are a member of
bzipitdoo,
Sorry for the delayed response.
I would not say this is the same problem, though it is similar. The
cupsd profile is not granting permission to lock /run/utmp which is
being asked for (I'm not sure why).
You can try fixing this by adding the line
/run/utmp k,
to the cupsd profile
aa-status is part of the apparmor package
aa-disabled is part of the apparmor-utils package
the package split is done to reduce the install foot print to a minimum
for base installs, iso images etc.
The failure of the apparmor_parser -R is odd, perhaps the profile had
been already removed by a
Can you please provide the contents of
sudo aa-status
/etc/apparmor.d/cache/.features
/etc/apparmor.d/cache/sbin.dhclient
ls -a /sys/kernel/security/apparmor/
if present (and dependent on whether its a dir or file)
ls -a /sys/kernel/security/apparmor/features
or
cat -s
So yes this is because of the unshare of the file system namespace.
Currently the only work around is the use of the attach_disconnected
flag. Alternate solutions are coming as part of the work to support lxc
Martin:
The only way to temporarily add the attach_disconnected flag is to manually
Hrmmm so apport-collect didn't attach the compiz crash, that happened 30
or 40 minutes after I initially reported this bug.
This seems to be hybrid graphics related. I should be using intel ivy
bridge graphics but there is also nvidia graphics in the machine.
Uninstalling and reinstalling
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gdm in Ubuntu.
https://bugs.launchpad.net/bugs/862149
Title:
gdm does not respect gnome power management settings
Status in “gdm” package in Ubuntu:
New
Bug description:
Set gdm as
65 matches
Mail list logo