[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
@u-dal: thankyou, though I have to say I am at a loss as to why the snap version of thunderbird is trying to access ``` /media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock /media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock ``` what kind of configuration have you done? I see you are copying data from /media/lubuntu/drive/startup/ into the snap, is something in one of these a symlink into /media/lubuntu/drive/hq/email/thunderbird? As for why this used to work and doesn't now is thunderbird unless you opted into it (enabled the profile) was not confined. The snap thunderbird is confined and defines down to the file what thunderbird has access to. Snaps however are not under normal apparmor control, and make it some what hard for the user to extend what is allowed. There are a few things that can be done to work around the issue but I am still trying to understand why thunderbird is trying to access that location. things we can do to work around this issue immediately, so you can have access to your mail 1. enable snapd prompting in the new security center (its a flutter based application, I am not sure if lubuntu is shipping it by default). If this is a location that falls under what is allowed to prompt (I am not sure it is), snapd we prompt you about allowing the access, store your response and it will be allowed in the future. 2. reinstall thunderbird snap in dev mode 3. manually update the snap profile. There will have to be script that recopies, and reloads, as snap can and will regenerate and reload when it refreshes. 4. uninstall the thunderbird snap and install thunderbird as a deb via the mozilla ppa. You can opt into an apparmor profile if you want, in this case you get full control over the profile. 5. disable apparmor in grub. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive Status in apparmor package in Ubuntu: New Bug description: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
So my supposition on the overlay looks to be incorrect. Would you being willing to attach your full mount information? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive Status in apparmor package in Ubuntu: New Bug description: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
For the thunderbird issue I have created https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in Wike: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in foliate package in Ubuntu: Fix Committed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in guix package in Ubuntu: New Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Status in wike package in Ubuntu: Fix Committed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
@u-dal: can you attach the overlay mount information. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive Status in apparmor package in Ubuntu: New Bug description: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
** Attachment added: "dmesg denial output" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773408/+files/comment-106.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive Status in apparmor package in Ubuntu: New Bug description: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2064363] [NEW] thunderbird snap on live systems "already running" but not responsive
Public bug reported: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Attachment added: "aa-status and systemctl output" https://bugs.launchpad.net/bugs/2064363/+attachment/5773407/+files/comment-101.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive Status in apparmor package in Ubuntu: New Bug description: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
** Attachment added: "dmesg denial output" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773409/+files/comment-106.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive Status in apparmor package in Ubuntu: New Bug description: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: the problem with firefox (it has a snap profile and is allowed access to user namespaces) is different than with chrome (no profile loaded), but still might be apparmor related. Can you look in dmesg for apparmor denials ``` sudo dmesg | grep DENIED ``` -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in Wike: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in foliate package in Ubuntu: Fix Committed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in guix package in Ubuntu: New Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Status in wike package in Ubuntu: Fix Committed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: are you running in a live cd environment? Something odd is happening on your system, with some profiles loaded and systemctl reporting ConditionPathExists=!/rofs/etc/apparmor.d -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in Wike: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in foliate package in Ubuntu: Fix Committed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in guix package in Ubuntu: New Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Status in wike package in Ubuntu: Fix Committed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: This sounds like the apparmor policy is not being loaded can you please provide the output of ``` sudo aa-status ``` and ``` sudo systemctl status apparmor ``` -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in Wike: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in foliate package in Ubuntu: Fix Committed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in guix package in Ubuntu: New Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Status in wike package in Ubuntu: Fix Committed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063976] Re: Apparmor breaking nsjail in AOSP
> To clarify, this is not something that can be solved upstream in apparmor, and a profile can't be accepted due to the nature of the path location? correct, if it is a unprivileged user writable location it can't be fixed entirely upstream. It is possible for us to ship a profile that is disabled in some way but that takes a privileged user action to enable. Eg. we could ship a profile using the xattrs attachment from above, then the user would be responsible for setting the xattr with setfattr. packaging nsjail is an option for Ubuntu but like you said it wouldn't directly address previous versions and AOSP probably wouldn't like it. With that said this isn't going to be an Ubuntu only restriction, the security community in general is looking at different ways of restricting unprivileged user namespaces. SElinux has picked up some ability to mediate them, but isn't really applying it in policy yet. The OSS email list (oss-secur...@lists.openwall.com) has been discussing other options as well. The number of exploit chains associated with them has forced us to start locking them down. The AppArmor solution will be available to other distros as well, it already available upstream in the kernel and apparmor 4.0. AppArmor side there is work on aa-notify that we are looking at SRUing. That will help desktop users if they have it installed. Where they can get a notification that will take them to a simple gui that will allow them to click enable (with a password) instead of having to know the details underneath. It won't be integrated into the security center or pretty. But a little better than the current situation for the user. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP Status in apparmor package in Ubuntu: New Bug description: Build sandboxing in AOSP is broken after updating to 24.04 with the following denials: [ 182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create" target="unprivileged_userns" [ 182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=8515 comm="nsjail" capability=6 capname="setgid" [ 182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw, rprivate" This seems to come from the following change earlier this year: https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063976] Re: Apparmor breaking nsjail in AOSP
running privileged applications out of home is dirty. But it is the
situation we are in with user namespaces and app images as well. Ubuntu
will not ship a profile for a privileged executable in the users home or
a writable location of an unprivileged user. As this can be leveraged to
by-pass the restriction, or it requires us to expand user mediation in
such a way that user writable locations with profiles defined become
privileged. Atm we are not adding addition restriction to the user. This
allows the user to define a profile that allows by-passing the
restriction. A user opting to create a profile in a user writable
location is less dangerous as the location becomes non-standard so it
becomes harder to exploit. It also requires the user to take a
deliberate privileged action to add the profile.
Generally for the nsjail profile an attachment like
@{HOME}/android-*/prebuilts/build-tools/linux-x86/bin/nsjail
is slightly better, but still not great. Atm it is very close to the
same, but there are improvements coming that will tighten @{HOME} to a
user specific kernel variable which will be better than /**.
The other way to handle this would be setting the security xattr and
using that as part of the attachment.
```
sudo setfattr -n security.apparmor -v nsjail
```
and define the profile as something like (you can make the path more
specific if you want).
```
profile nsjail /**/nsjail xattrs=(security.apparmor="nsjail")
flags=(unconfined) {
```
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2063976
Title:
Apparmor breaking nsjail in AOSP
Status in apparmor package in Ubuntu:
New
Bug description:
Build sandboxing in AOSP is broken after updating to 24.04 with the
following denials:
[ 182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT"
operation="userns_create" class="namespace" info="Userns create - transitioning
profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create"
target="unprivileged_userns"
[ 182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED"
operation="capable" class="cap" profile="unprivileged_userns" pid=8515
comm="nsjail" capability=6 capname="setgid"
[ 182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED"
operation="mount" class="mount" info="failed mntpnt match" error=-13
profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw,
rprivate"
This seems to come from the following change earlier this year:
https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063976] Re: Apparmor breaking nsjail in AOSP
Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the behavior of unprivileged user namespace mediation. With the unprivileged_userns profile loaded, when a user namespace is created by an unprivileged unconfined application the task will be transitioned into the unprivileged_userns profile. The unprivileged_userns profile will then deny privileged operations capability, mount etc. Without the unprivileged_userns profile loaded, the creation of the user namespace will be denied. Through experimentation we have learned that many applications behave better (handle the errors better, eg. qtwebkit will handle the error and fallback to using a sandbox without usernamespaces while without the profile it crashes) with the unprivileged_userns loaded. So that has become the default behavior. You can experiment with changing the behavior by manually unloading the unprivileged_userns profile using sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns nsjail will likely require a profile to work, please see https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP Status in apparmor package in Ubuntu: New Bug description: Build sandboxing in AOSP is broken after updating to 24.04 with the following denials: [ 182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create" target="unprivileged_userns" [ 182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=8515 comm="nsjail" capability=6 capname="setgid" [ 182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw, rprivate" This seems to come from the following change earlier this year: https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues, 1.19.16 installs fine and runs, but in a degraded sandbox mode. So adding a profile for it would be beneficial The appimage version of Belena Etcher unfortunately fails to run. We can not provide a default profile for the appimage unless it the user moves it to the default deb install location (ie. installs it to the system, instead of running it from their home dir). Users are free to add their own confinement profiles for appimages. Directions are in https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in Wike: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in foliate package in Ubuntu: Fix Committed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Status in wike package in Ubuntu: Fix Committed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
The Wike fix is coming in the next SRU. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in Wike: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in foliate package in Ubuntu: Fix Committed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Status in wike package in Ubuntu: Fix Committed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056627] Re: PHPStorm crashes when opening a project
Its not just that app images don't have a default path, we can handle that as well. It is that user namespaces have become a privileged operation, and the user must take some privileged action to allow applications to use them. That can be any of - moving the application into a well known privileged location that has a profile already associated with it. - creating a profile for the application where it is installed in their unprivileged location. This is currently allowed but problematic in that unprivileged code code potentially write to it and we are not currently restricting unprivileged applications from writing these locations. But that will come - tagging the application with the correct security label. The important part is the user must take a privileged action to allow applications that are using user namespaces to gain privilege. Note, applications that use user namespaces that don't require privilege are allowed, its only applications that require privilege within the user namespace. Unfortunately appimages that use use namespaces need the user to take one of the above privileged actions. And unfortunately Ubuntu can not "fix" this without disabling the protection. There are plans to improve the user experience and make this easier for users to do, but atm it is a manual process. The instructions provided by Seth will enable you to get the appimage running. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056627 Title: PHPStorm crashes when opening a project Status in apparmor package in Ubuntu: Confirmed Bug description: Filing mostly in case anyone else hits this and is looking for workarounds: Since the Update to 24.04 PHPStorm crashes on open for me. I think when it tries to preview a markdown file, like a README.md which is shown when opening a project. ``` [0309/094602.913394:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/user/bin/phpstorm/jbr/lib/chrome-sandbox is owned by root and has mode 4755. ``` Workaround 1 (wont persist reboots, needs root): sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 Workaround 2 (persists and doesn't need root): thanks to https://youtrack.jetbrains.com/issue/IDEA-313202/IDE- crashes-due-to-chrome-sandbox-is-owned-by-root-and-has-mode-error- when-IDE-is-launching-the-JCEF-in-a- sandbox#focus=Comments-27-7059083.0-0 * Run `/bin/phpstorm.sh dontReopenProjects` (to avoid it crashing on start) * ctrl+shift+a * type "Registry..." and select it * disable the "ide.browser.jcef.sandbox.enable" option * Restart phpstorm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056627/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039294] Re: apparmor docker
To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to
signal (receive) peer={runc,unconfined},
or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent, if
if using the value of unconfined, or if @[runc} is used multiple times
within the profile.
@{runc}={peer,unconfined}
signal (receive) peer=@{runc},
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039294
Title:
apparmor docker
Status in docker:
New
Status in apparmor package in Ubuntu:
Incomplete
Bug description:
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 23.10
Release:23.10
Codename: mantic
Docker version 24.0.5, build 24.0.5-0ubuntu1
Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all
signals?) doesn't reach the target process. Works when apparmor is uninstalled.
[17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED"
operation="signal" class="signal" profile="docker-default" pid=172626
comm="runc" requested_mask="receive" denied_mask="receive" signal=term
peer="/usr/sbin/runc"
[17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED"
operation="signal" class="signal" profile="docker-default" pid=172633
comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
peer="/usr/sbin/runc"
To manage notifications about this bug go to:
https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl
Thank you for your quick and helpful reply. A few quick checks make it appear that reinstalling libssl as you suggested has completely resolved the problem. Thanks also for your suggestion about checking failing hardware. There seems to be no sign of any errors in my drive, but I'll continue to test the drive and my RAM. Perhaps it was just a stray cosmic ray. Thanks again and best wishes to successful bug smashing! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2063271 Title: Illegal opcode in libssl Status in openssh package in Ubuntu: New Bug description: Many programs using openssl now fail, typically with messages such as Illegal instruction (core dumped) This seems to be a serious error, since it affects, for example, update-manager. Since this makes it harder to get security updates, I would also consider it a security vulnerability. The issue seems to be that openssl seems to be an attempt to use an illegal opcode. A few sample entries in /var/log/syslog are: Apr 21 19:16:39 einstein kernel: [495465.431588] traps: update-manager[396881] trap invalid opcode ip:740964b8ac6b sp:7409552125b0 error:0 in libssl.so.3[740964b7a000+5b000] Apr 21 19:16:55 einstein kernel: [495482.104658] traps: python3[396949] trap invalid opcode ip:73607be8ac6b sp:736074d8d5b0 error:0 in libssl.so.3[73607be7a000+5b000] Apr 21 19:40:05 einstein kernel: [496871.653271] traps: chrome-gnome-sh[397293] trap invalid opcode ip:79432ffa7c6b sp:7ffd6bc03e70 error:0 in libssl.so.3[79432ff97000+5b000] Apr 22 16:23:08 einstein kernel: [501744.765118] traps: check-new-relea[400397] trap invalid opcode ip:797c7cc8ac6b sp:797c6cace5b0 error:0 in libssl.so.3[797c7cc7a000+5b000] Apr 23 15:08:03 einstein kernel: [518701.050526] traps: wget[443588] trap invalid opcode ip:73a8b2eb4c6b sp:7ffc04918740 error:0 in libssl.so.3[73a8b2ea4000+5b000] Apr 23 15:12:55 einstein kernel: [518992.493020] traps: curl[443851] trap invalid opcode ip:7e4e3951dc6b sp:7ffc804d2ed0 error:0 in libssl.so.3[7e4e3950d000+5b000] Apr 23 15:13:32 einstein kernel: [519029.181422] traps: apport-gtk[04] trap invalid opcode ip:7039180f5c6b sp:703902bfaad0 error:0 in libssl.so.3[7039180e5000+5b000] This bug report itself had to be submitted manually since ubuntu-bug now itself fails. lsb_release -rd reports: Description:Ubuntu 22.04.4 LTS Release:22.04 apt-cache policy openssl reports: openssl: Installed: 3.0.2-0ubuntu1.15 Candidate: 3.0.2-0ubuntu1.15 Version table: *** 3.0.2-0ubuntu1.15 500 500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages /proc/version for my computer gives Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 /proc/cpuinfo for my computer starts processor : 0 vendor_id : GenuineIntel cpu family: 6 model : 78 model name: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz stepping : 3 microcode : 0xf0 cpu MHz : 500.018 cache size: 4096 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 2 apicid: 0 initial apicid: 0 fpu : yes fpu_exception : yes cpuid level : 22 wp: yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_stale_data retbleed gds bogomips : 5199.98 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 bits virtual power management: ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2063271/+subscriptions -- Mailing list:
[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2063271 Title: Illegal opcode in libssl Status in openssh package in Ubuntu: New Bug description: Many programs using openssl now fail, typically with messages such as Illegal instruction (core dumped) This seems to be a serious error, since it affects, for example, update-manager. Since this makes it harder to get security updates, I would also consider it a security vulnerability. The issue seems to be that openssl seems to be an attempt to use an illegal opcode. A few sample entries in /var/log/syslog are: Apr 21 19:16:39 einstein kernel: [495465.431588] traps: update-manager[396881] trap invalid opcode ip:740964b8ac6b sp:7409552125b0 error:0 in libssl.so.3[740964b7a000+5b000] Apr 21 19:16:55 einstein kernel: [495482.104658] traps: python3[396949] trap invalid opcode ip:73607be8ac6b sp:736074d8d5b0 error:0 in libssl.so.3[73607be7a000+5b000] Apr 21 19:40:05 einstein kernel: [496871.653271] traps: chrome-gnome-sh[397293] trap invalid opcode ip:79432ffa7c6b sp:7ffd6bc03e70 error:0 in libssl.so.3[79432ff97000+5b000] Apr 22 16:23:08 einstein kernel: [501744.765118] traps: check-new-relea[400397] trap invalid opcode ip:797c7cc8ac6b sp:797c6cace5b0 error:0 in libssl.so.3[797c7cc7a000+5b000] Apr 23 15:08:03 einstein kernel: [518701.050526] traps: wget[443588] trap invalid opcode ip:73a8b2eb4c6b sp:7ffc04918740 error:0 in libssl.so.3[73a8b2ea4000+5b000] Apr 23 15:12:55 einstein kernel: [518992.493020] traps: curl[443851] trap invalid opcode ip:7e4e3951dc6b sp:7ffc804d2ed0 error:0 in libssl.so.3[7e4e3950d000+5b000] Apr 23 15:13:32 einstein kernel: [519029.181422] traps: apport-gtk[04] trap invalid opcode ip:7039180f5c6b sp:703902bfaad0 error:0 in libssl.so.3[7039180e5000+5b000] This bug report itself had to be submitted manually since ubuntu-bug now itself fails. lsb_release -rd reports: Description:Ubuntu 22.04.4 LTS Release:22.04 apt-cache policy openssl reports: openssl: Installed: 3.0.2-0ubuntu1.15 Candidate: 3.0.2-0ubuntu1.15 Version table: *** 3.0.2-0ubuntu1.15 500 500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages /proc/version for my computer gives Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 /proc/cpuinfo for my computer starts processor : 0 vendor_id : GenuineIntel cpu family: 6 model : 78 model name: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz stepping : 3 microcode : 0xf0 cpu MHz : 500.018 cache size: 4096 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 2 apicid: 0 initial apicid: 0 fpu : yes fpu_exception : yes cpuid level : 22 wp: yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_stale_data retbleed gds bogomips : 5199.98 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 bits virtual power management: ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2063271/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2057943] Re: Can't disable or modify snap package apparmor rules
I will note that current snap behavior is by design. Not saying that
they couldn't make this easier but the snap side is functioning the way
it was desiged.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2057943
Title:
Can't disable or modify snap package apparmor rules
Status in apparmor package in Ubuntu:
New
Status in snapd package in Ubuntu:
New
Bug description:
On Ubuntu 20.04 (and probably 22.04 and greater), it is impossible to
disable snap chromium apparmor rules:
root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure
Can't find chromium.hook.configure in the system path list. If the name of
the application
is correct, please run 'which snap.chromium.hook.configure' as a user with
correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter.
root@{HOSTNAME}:~# aa-complain snap.chromium.chromedriver -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
root@{HOSTNAME}:~# aa-complain snap.chromium.chromium -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global
not found
It seems like no one has an answer on how these overly restricted
rules can be disabled:
https://askubuntu.com/questions/1267980/how-to-disable-apparmor-for-chromium-snap-ubuntu-20-04
https://ubuntuforums.org/showthread.php?t=2410550
https://ubuntuforums.org/showthread.php?t=2449022
https://answers.launchpad.net/ubuntu/+source/apparmor/+question/701036
So I just got rid of apparmor which doesn't seem like the solution I
was after, but it works great now:
sudo systemctl stop apparmor
sudo systemctl disable apparmor
Please give us a way to modify (and keep the rules permanently
modified even after snap updates) snap apparmor rules.
Thank you!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058179] Re: Kernel 6.8 + zfs-2.2.2: copy_file_range Operation Not Supported
** Changed in: zfs-linux (Ubuntu Noble)
Status: Confirmed => In Progress
** Changed in: zfs-linux (Ubuntu Noble)
Assignee: (unassigned) => John Cabaj (john-cabaj)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2058179
Title:
Kernel 6.8 + zfs-2.2.2: copy_file_range Operation Not Supported
Status in Native ZFS for Linux:
Fix Released
Status in systemd package in Ubuntu:
Triaged
Status in zfs-linux package in Ubuntu:
In Progress
Status in systemd source package in Noble:
Triaged
Status in zfs-linux source package in Noble:
In Progress
Bug description:
As per https://github.com/openzfs/zfs/issues/15930
ZFS and kernel 6.8 seem to throw EOPNOTSUPP on calling
copy_file_range, breaking a multitude of applications.
Upcoming noble (24.04) appears to currently include kernel 6.8 and ZFS
2.2.2.
One notable issue is when running Root on ZFS: systemd-sysusers will
always fail to create users/groups with the error "Failed to backup
/etc/{group,passwd}: Operation not supported" due to the call to
copy_file_range.
To manage notifications about this bug go to:
https://bugs.launchpad.net/zfs/+bug/2058179/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062441] Re: Apparmor breaks Joplin Desktop
unfortunately Joplin is only shipped as an appimage for Linux. Which
means we can not ship a profile for it by default that will allow it to
use capabilities within the unprivileged user namespace that the
electron embedded browser is attempting to use.
This means that the user is required to intervene to enable an electron
based appimage so that it can be run. Unfortunately for 24.04 this means
some manual command line based intervention, instead of using a GUI like
on MacOS when a user needs to enable an application downloaded from the
internet.
This change is deliberate to increase the security of Ubuntu systems,
and while we will work on improving the user experience the requirement
to have the user approve applications that are using privileged kernel
interfaces there is no plan to revert this change. You can read more
about this in the release notes https://discourse.ubuntu.com/t/noble-
numbat-release-notes/39890
If you look in the kernel logs, (or dmesg) you will find an message an apparmor
message similar to below showing what is causing your issue.
```
$ sudo dmesg | grep "apparmor=\"AUDIT"
[ 85.468352] audit: type=1400 audit(1713509122.843:224): apparmor="AUDIT"
operation="userns_create" class="namespace" info="Userns create - transitioning
profile" profile="unconfined" pid=3058 comm="@joplinapp-desk"
requested="userns_create" target="unprivileged_userns"
```
and
```
$ sudo dmesg | grep DENIED
[ 85.469966] audit: type=1400 audit(1713509122.847:225): apparmor="DENIED"
operation="capable" class="cap" profile="unprivileged_userns" pid=3065
comm="@joplinapp-desk" capability=21 capname="sys_admin"
```
Unfortunately unprivileged user namespaces are using privileged kernel
interfaces (above protected by capabiity sys_admin) that have now been
restricted to known applications because they have been used in a lot of
exploit chains.
you can add a profile for the application by copying the profile from
below into /etc/apparmor.d/ and then updating by replacing
```/home/jj/Downloads/Joplin-2.14.20.AppImage``` with the location you
are running your joplin appimage from.
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile joplin /home/jj/Downloads/Joplin-2.14.20.AppImage flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Once that is done you can do
```
$ sudo apparmor_parser -r /etc/apparmor.d/joplin
```
that will allow you to run joplin without having to reboot. Having the
jplin profile in /etc/apparmor.d/ will ensure it is reloaded if you
reboot.
** Changed in: apparmor (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2062441
Title:
Apparmor breaks Joplin Desktop
Status in apparmor package in Ubuntu:
Won't Fix
Bug description:
Joplin is a FOSS note taking app based on electron, that does not work
in Ubuntu 24.04 due to apparmor preventing it from running.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2062441/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058179] Re: Kernel 6.8 + zfs-2.2.2: copy_file_range Operation Not Supported
I've tested an initial version with the upstream patch and attached the
debdiff here. Will work to get this uploaded.
** Patch added: "zfs-linux_2.2.2-0ubuntu9.debdiff"
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/2058179/+attachment/5767995/+files/zfs-linux_2.2.2-0ubuntu9.debdiff
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2058179
Title:
Kernel 6.8 + zfs-2.2.2: copy_file_range Operation Not Supported
Status in Native ZFS for Linux:
Fix Released
Status in systemd package in Ubuntu:
Triaged
Status in zfs-linux package in Ubuntu:
Confirmed
Status in systemd source package in Noble:
Triaged
Status in zfs-linux source package in Noble:
Confirmed
Bug description:
As per https://github.com/openzfs/zfs/issues/15930
ZFS and kernel 6.8 seem to throw EOPNOTSUPP on calling
copy_file_range, breaking a multitude of applications.
Upcoming noble (24.04) appears to currently include kernel 6.8 and ZFS
2.2.2.
One notable issue is when running Root on ZFS: systemd-sysusers will
always fail to create users/groups with the error "Failed to backup
/etc/{group,passwd}: Operation not supported" due to the call to
copy_file_range.
To manage notifications about this bug go to:
https://bugs.launchpad.net/zfs/+bug/2058179/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3
the kernel team is already rolling kernels with the fix for 2061851 but it is also building in https://launchpad.net/~apparmor- dev/+archive/ubuntu/apparmor-devel ppa -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2061869 Title: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3 Status in apparmor package in Ubuntu: New Status in linux-lowlatency package in Ubuntu: New Bug description: After upgrading to linux-lowlatency 6.8.0-25, suddenly snaps can no longer connect to network. I tried downgrading snapd from edge, still no connectivity. Only solution was to downgrade back to 6.8.0-7. I'll also add apparmor in case this is an apparmor issue as well. Marking as "critical" priority as this affects all installs of Ubuntu Studio and affects Firefox and Thunderbird. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3
This is likely a dup of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2061869 Title: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3 Status in apparmor package in Ubuntu: New Status in linux-lowlatency package in Ubuntu: New Bug description: After upgrading to linux-lowlatency 6.8.0-25, suddenly snaps can no longer connect to network. I tried downgrading snapd from edge, still no connectivity. Only solution was to downgrade back to 6.8.0-7. I'll also add apparmor in case this is an apparmor issue as well. Marking as "critical" priority as this affects all installs of Ubuntu Studio and affects Firefox and Thunderbird. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
More applications will be getting confinement, on an individual level I
don't think it will be everything from debs. In this case its because it
uses unprivileged user namespaces. Which is now being restricted and
treated as a semi-privileged because it gives access to several
privileged kernel interfaces. Those privilege kernel interfaces should
be in theory safe, but the reality is that they aren't. Unprivileged
user namespaces are the first step in almost every kernel exploit chain
for the last 7 or so years.
In pwn2own last year 4 of the 5 exploits used unprivileged user
namespaces. This year all 4 did, however if you turn the restriction on
(present in 23.10 but not enabled by default) everyone one of the
exploits are blocked. The current step is far from perfect, but we are
working on improving it.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
Status in apparmor package in Ubuntu:
New
Bug description:
Wike (deb package/compiled version) does not run in Ubuntu 24.04
possibly due to some interference between apparmor and webkit.
```
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in
/home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy:
Child process exited with code 1
Trace/breakpoint trap
```
A workaround is to create the file `/etc/apparmor.d/wike` with the following
contents:
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile wike /usr/bin/wike flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Then run `sudo systemctl restart apparmor.service`
This is also reported in GitHub for Wike
https://github.com/hugolabe/Wike/issues/181
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
There are vague plans, yes. The time line of it has not been scoped, but
it would be something akin to what happens on macos when you try to run
a downloaded application for the first time and you have to go into
their security config to allow it.
The application will still be "confined" but it may not get its own
individual profile and share one with others the user has downloaded.
The unconfined profile's will also get developed into full profiles. The
plan is that unconfined profiles won't be a standard thing but an
exception.
Another thing going to happen in the next upload is bwrap gets its own
profile. Applications using bwrap might work through the bwrap profile.
There will still be cases where they will need their own profile, but
the bwrap profile will cover several cases that don't work today.
Applications that have already received an unconfined profile will
continue to work that way.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810
Title:
Wike does not run in Ubuntu 24.04 due to apparmor issue
Status in apparmor package in Ubuntu:
New
Bug description:
Wike (deb package/compiled version) does not run in Ubuntu 24.04
possibly due to some interference between apparmor and webkit.
```
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in
/home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy:
Child process exited with code 1
Trace/breakpoint trap
```
A workaround is to create the file `/etc/apparmor.d/wike` with the following
contents:
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile wike /usr/bin/wike flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
```
Then run `sudo systemctl restart apparmor.service`
This is also reported in GitHub for Wike
https://github.com/hugolabe/Wike/issues/181
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060767] Re: Foliate does not run in Ubuntu 24.04 due to apparmor issue
The fix has been merged upstream in https://gitlab.com/apparmor/apparmor/-/merge_requests/1209 it will be in the next release. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2060767 Title: Foliate does not run in Ubuntu 24.04 due to apparmor issue Status in apparmor package in Ubuntu: Confirmed Bug description: When I try to open any epub via Foliate (installed from official Ubuntu repositories), it does not run. ``` $ foliate Alcott, Louisa May - Little Women.epub (com.github.johnfactotum.Foliate:2289): Gtk-WARNING **: 01:51:13.769: Unknown key gtk-modules in /home/archisman/.config/gtk-4.0/settings.ini bwrap: setting up uid map: Permission denied ** (com.github.johnfactotum.Foliate:2289): ERROR **: 01:51:14.283: Failed to fully launch dbus-proxy: Child process exited with code 1 Trace/breakpoint trap ``` A workaround (https://github.com/johnfactotum/foliate/issues/1271#issuecomment-2016575770) is to create the `/etc/apparmor.d/foliate` file with the appropriate content described in that link. A similar bug was reported for VSCode (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined profile, as that allows for an arbitrary by-pass of the restriction. There is a potential solution in the works that will allow for bwrap and unshare to function as long as the child task does not require permissions but at this point there are still some issues with it that are being debugged. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@arraybolt3: Answer to your question. bwrap requires capabilities within the user namespace. unshare is a little more forgiving in that what it requires depends on the options passed but most of the options also require capabilities within the user namespace. The potential solution I mention is comment #91 is to define a profile for bwrap that allows it capabilities within the namespace but does not allow its children capabilities within the namespace, so that bwrap and unshare can not just launch an application to by-pass the restriction. This seems to work well for unshare but there are cases where bwrap is failing in unexpected ways (which is still being debugged). At this late stage the plan is to try to get a fix for bwrap in but if necessary to file an SRU if necessary for the bwrap fix. So yes this is being worked on and even if the fix isn't present on day one we do plan to get it fixed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1597017] Re: mount rules grant excessive permissions
It is in the SRU queue and the current ETA is April 15 to land in the proposed pocket (archive proposed not security proposed ppa), there is a caveat that the recent xz backdoor has caused some "fun" on the archive side and could potentially cause some delays. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Focal: In Progress Status in apparmor source package in Jammy: In Progress Bug description: SRU Team; the packages for focal-proposed and jammy-proposed are intended as security updates prepared by the Ubuntu Security team (and have built in a ppa with only the security pockets enabled). However, because the fix makes mount rules in apparmor policy be treated more restrictively than they were prior to this update, we would like these packages to gain more widespread testing. Risk of Regression: The update for this issue causes the apparmor parser, the tool that translates written policy into the enforcement data structures used by the kernel, to generate more strict policy for mount rules, like the example below. They are not common in apparmor policy generally, but can appear in policies written for container managers to restrict containers, and thus can potentially break container startup. The packages prepared for focal-proposed and jammy-proposed have tested with the versions of snapd, lxc, libvirt, and docker in the ubuntu archive, but conainter managers outside of the ubunty archive may run into issues, hence the need for testing and policy adjustments. Original Report: The rule mount options=(rw,make-slave) -> **, ends up allowing mount -t proc proc /mnt which it shouldn't as it should be restricted to commands with a make- slave flag To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060100] Re: denials from sshd in noble
Fixed by MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1196 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2060100 Title: denials from sshd in noble Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Noble: Confirmed Bug description: 2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system" 2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060100] [NEW] denials from sshd in noble
Public bug reported: 2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system" 2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined" ** Affects: apparmor (Ubuntu) Importance: Undecided Status: Confirmed ** Affects: apparmor (Ubuntu Noble) Importance: Undecided Status: Confirmed ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Also affects: apparmor (Ubuntu Noble) Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2060100 Title: denials from sshd in noble Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Noble: Confirmed Bug description: 2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system" 2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
We have an update of the firefox profile coming that supports the /opt/firefox/firefox location used as the default install for the firefox downloaded directly from mozilla.org If you are running firefox out of your home directory, that will not be directly supported and you will need to chose to do one of the following to fix the issue. 1. The recommended way is updating the firefox profile in /etc/apparmor.d/firefox by adding the location you have firefox installed, and then reloading the profile with sudo apparmor_parser -r /etc/apparmor.d/firefox. 2. You can disable user namespaces, this will keep firefox from trying to use them as part of ts sandbox https://lwn.net/Articles/673597/ 3. the least recommended way to fix this is you can disable the finer grained user namespace restrictions as outlined in https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user- namespaces ** Changed in: qmapshack (Ubuntu) Status: Confirmed => Fix Released ** Changed in: qutebrowser (Ubuntu) Status: Confirmed => Fix Released ** Changed in: rssguard (Ubuntu) Status: Confirmed => Fix Released ** Changed in: supercollider (Ubuntu) Status: Confirmed => Fix Released ** Changed in: geary (Ubuntu) Status: Confirmed => Fix Released ** Changed in: goldendict-webengine (Ubuntu) Status: Confirmed => Fix Released ** Changed in: kchmviewer (Ubuntu) Status: Confirmed => Fix Released ** Changed in: loupe (Ubuntu) Status: Confirmed => Fix Released ** Changed in: notepadqq (Ubuntu) Status: Confirmed => Fix Released ** Changed in: pageedit (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Fix Released Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Fix Released Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Fix Released Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Fix Released Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Fix Released Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Fix Released Status in qutebrowser package in Ubuntu: Fix Released Status in rssguard package in Ubuntu: Fix Released Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Fix Released Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to :
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@coeur-noir: Are you installing firefox to /opt/ as recommended or using it local in your user account? as for bwarp, maybe it is known to be problematic. It is allowed to run and to create a user namespace but it is denied all capabilities within the namespace. Can you run sudo dmesg | grep apparmor and add the information here. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8
So what I think is going on from a first pass look at this is that We are seeing a change in kernel behavior around exec. The 6.8 has a known change here, that doesn't normally trigger because unconfined is delegating access into the profile. However in the lxd case, unconfined can is not delegating access it the profile needs access to the application. the accompanying patch should fix the issue, and does not actually grant anymore permission that was already required, it was just being delegated in by unconfined. ** Patch added: "apparmor-add-execmap.patch" https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5758964/+files/apparmor-add-execmap.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 Status in apparmor package in Ubuntu: New Status in cups-browsed package in Ubuntu: New Bug description: cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected via an autopkgtest), early enough that LD_DEBUG=all gives no output. A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the executable ran, so 8 was uploaded to try to fix this. But the executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups- browsed and segfaults when invoked as /usr/sbin/cups-browsed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8
Do we know if there is a difference in the kernel between the runs? The 2.0.0.0~0ubuntu3 autopackage run log I was pointed at was on a Linux 5.4.0-170-generic #188-Ubuntu Do we know what kernel that 2.0.0-0ubuntu7 is failing on? There was a change to when security checks were made in on the exec path, this particular denial makes me wonder if we are seeing an artifact of that here. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 Status in apparmor package in Ubuntu: New Status in cups-browsed package in Ubuntu: New Bug description: cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected via an autopkgtest), early enough that LD_DEBUG=all gives no output. A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the executable ran, so 8 was uploaded to try to fix this. But the executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups- browsed and segfaults when invoked as /usr/sbin/cups-browsed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 Status in apparmor package in Ubuntu: New Status in cups-browsed package in Ubuntu: New Bug description: cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected via an autopkgtest), early enough that LD_DEBUG=all gives no output. A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the executable ran, so 8 was uploaded to try to fix this. But the executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups- browsed and segfaults when invoked as /usr/sbin/cups-browsed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@ajg-charlbury: no apparmor beta3 has not landed in proposed yet, we are working on the upload now. firefox separately have added a bug fix that will detect when the user namespace/capabilities are denied and fallback without crashing but it disables the full sandbox. the apparmor-beta3 fix should enable firefox to function with the full sandbox. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058241] [NEW] [X570 AORUS ELITE, Realtek ALCS1200A, Black Line Out, Rear] Pulseaudio fails to detect card
Public bug reported: Audio is very crackly, choppy, and when converting videos, the videos end up the same. The system has a Realtek audio built in, but the driver shows Generic. Tried nearly all online fixes, none work but it seems many people have the same issue. Can someone help? ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: pulseaudio 1:16.1+dfsg1-2ubuntu4 ProcVersionSignature: Ubuntu 6.5.0-25.25.1-lowlatency 6.5.13 Uname: Linux 6.5.0-25-lowlatency x86_64 ApportVersion: 2.27.0-0ubuntu5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Mon Mar 18 06:38:35 2024 InstallationDate: Installed on 2024-03-17 (1 days ago) InstallationMedia: Ubuntu-Studio 23.10 "Mantic Minotaur" - Release amd64 (20231010) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash XDG_RUNTIME_DIR= SourcePackage: pulseaudio Symptom: audio Symptom_Card: HDA-Intel - HD-Audio Generic Symptom_Jack: Black Line Out, Rear Title: [X570 AORUS ELITE, Realtek ALCS1200A, Black Line Out, Rear] Pulseaudio fails to detect card UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/18/2023 dmi.bios.release: 5.17 dmi.bios.vendor: American Megatrends International, LLC. dmi.bios.version: F38e dmi.board.asset.tag: Default string dmi.board.name: X570 AORUS ELITE dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendor: Default string dmi.chassis.version: Default string dmi.modalias: dmi:bvnAmericanMegatrendsInternational,LLC.:bvrF38e:bd07/18/2023:br5.17:svnGigabyteTechnologyCo.,Ltd.:pnX570AORUSELITE:pvr-CF:rvnGigabyteTechnologyCo.,Ltd.:rnX570AORUSELITE:rvrx.x:cvnDefaultstring:ct3:cvrDefaultstring:skuDefaultstring: dmi.product.family: X570 MB dmi.product.name: X570 AORUS ELITE dmi.product.sku: Default string dmi.product.version: -CF dmi.sys.vendor: Gigabyte Technology Co., Ltd. ** Affects: pulseaudio (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug mantic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/2058241 Title: [X570 AORUS ELITE, Realtek ALCS1200A, Black Line Out, Rear] Pulseaudio fails to detect card Status in pulseaudio package in Ubuntu: New Bug description: Audio is very crackly, choppy, and when converting videos, the videos end up the same. The system has a Realtek audio built in, but the driver shows Generic. Tried nearly all online fixes, none work but it seems many people have the same issue. Can someone help? ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: pulseaudio 1:16.1+dfsg1-2ubuntu4 ProcVersionSignature: Ubuntu 6.5.0-25.25.1-lowlatency 6.5.13 Uname: Linux 6.5.0-25-lowlatency x86_64 ApportVersion: 2.27.0-0ubuntu5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Mon Mar 18 06:38:35 2024 InstallationDate: Installed on 2024-03-17 (1 days ago) InstallationMedia: Ubuntu-Studio 23.10 "Mantic Minotaur" - Release amd64 (20231010) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash XDG_RUNTIME_DIR= SourcePackage: pulseaudio Symptom: audio Symptom_Card: HDA-Intel - HD-Audio Generic Symptom_Jack: Black Line Out, Rear Title: [X570 AORUS ELITE, Realtek ALCS1200A, Black Line Out, Rear] Pulseaudio fails to detect card UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/18/2023 dmi.bios.release: 5.17 dmi.bios.vendor: American Megatrends International, LLC. dmi.bios.version: F38e dmi.board.asset.tag: Default string dmi.board.name: X570 AORUS ELITE dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendor: Default string dmi.chassis.version: Default string dmi.modalias: dmi:bvnAmericanMegatrendsInternational,LLC.:bvrF38e:bd07/18/2023:br5.17:svnGigabyteTechnologyCo.,Ltd.:pnX570AORUSELITE:pvr-CF:rvnGigabyteTechnologyCo.,Ltd.:rnX570AORUSELITE:rvrx.x:cvnDefaultstring:ct3:cvrDefaultstring:skuDefaultstring: dmi.product.family: X570 MB dmi.product.name: X570 AORUS ELITE dmi.product.sku: Default string dmi.product.version: -CF dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/2058241/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@ajg-charlbury: yes, firefox we are well aware of the problem, the firefox profile has been tweaked for beta3 (landing this week) so that it should work with the new deb. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@arraybolt3: qutebrowser should be fixed in beta3 ** Changed in: qutebrowser (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: qmapshack (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: notepadqq (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: pageedit (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: qmapshack should be fixed in beta3 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: I have been able to verify that privacybrowser is not working. However it is not due to the apparmor user namespace restrictions. I get the following segfault out of dmesg [ 1591.466016] privacybrowser[7743]: segfault at 8 ip 70bb4dd11ccc sp 7ffd5c6587e0 error 4 in libQt5Core.so.5.15.12[70bb4da8e000+335000] likely on CPU 0 (core 0, socket 0) [ 1591.466026] Code: ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 98 00 00 00 48 89 55 80 <48> 8b 5f 08 89 b5 7c ff ff ff 64 48 8b 04 25 28 00 00 00 48 89 45 I recommend opining a separate bug to track the issue. ** Changed in: privacybrowser (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: pageedit should be fixed in beta3 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Invalid Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: notepadqq should be fixed in beta3 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@kc2bez: there are no updated deb packages in the ppa for kiwix. the kiwix appimage worked for me. kiwix flatpak worked for me. I am not sure what you were seeing. But I we are going to need more information. ** Changed in: kiwix (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Incomplete Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
hi @vvaleryan-24, I have been able to replicate the crash you are seeing but it is not do to the user namespace restriction. The restrictions logging does not happen, and I can put it in an unconfined profile and it still doesn't help. From dmesg I find the following segfault [79854.520976] gpk-application[19250]: segfault at 8 ip 5930eec2dba8 sp 7fff471b6b70 error 4 in gpk-application[5930eec24000+d000] likely on CPU 1 (core 0, socket 1) [79854.520985] Code: 85 ff 0f 85 72 fd ff ff e9 72 fd ff ff 0f 1f 44 00 00 48 8b 44 24 30 48 8d 15 37 46 00 00 be 10 00 00 00 48 8d 3d c2 34 00 00 <48> 8b 48 08 31 c0 e8 6d 79 ff ff c7 43 04 00 00 00 00 48 8b 7b 50 my recommendation is we move debugging over of this to the other bug. ** Changed in: gnome-packagekit (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Invalid Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
this will be fixed in Beta ** Changed in: kchmviewer (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: rssguard (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: supercollider (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Incomplete Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
sorry this won't be fixed in Beta3 that note was for goldendict ** Changed in: gnome-packagekit (Ubuntu) Assignee: John Johansen (jjohansen) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Incomplete Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Will be fixed in Beta3 ** Changed in: goldendict-webengine (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Incomplete Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
we will be fixed in Beta3 ** Changed in: gnome-packagekit (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Incomplete Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
I have tested gnome-packagekit and it never trigger unprivileged user namespace mediation. Can you please provide more information on how you triggered it. ** Changed in: gnome-packagekit (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Incomplete Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
** Changed in: loupe (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) ** Changed in: geary (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) ** Changed in: firefox (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
supercollider will work on current noble. Since it is using QTWebEngine it has a graceful fallback when capabilities within the user namespace are denied. supercollider will have a profile and be fixed in Beta3, so it doesn't even have to do the fallback. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Invalid Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
I have tried freecad and unprivileged user namespace restrictions are
not the problem. freecad snap works, freecad ppa does not have a noble
build yet but the mantic build can be made to work.
freecad daily appimage: works
freecad appimage: stable fails with mesa or qt errors depending on how/where it
is started. Below is a paste of the error
MESA-LOADER: failed to open zink: /usr/lib/dri/zink_dri.so: cannot open shared
object file: No such file or directory (search paths
/usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
failed to load driver: zink
MESA-LOADER: failed to open swrast: /usr/lib/dri/swrast_dri.so: cannot open
shared object file: No such file or directory (search paths
/usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
failed to load driver: swrast
** Changed in: freecad (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
Status in AppArmor:
New
Status in akonadiconsole package in Ubuntu:
Fix Released
Status in akregator package in Ubuntu:
Fix Released
Status in angelfish package in Ubuntu:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in bubblewrap package in Ubuntu:
Confirmed
Status in cantor package in Ubuntu:
Fix Released
Status in devhelp package in Ubuntu:
Fix Released
Status in digikam package in Ubuntu:
Fix Released
Status in epiphany-browser package in Ubuntu:
Fix Released
Status in evolution package in Ubuntu:
Fix Released
Status in falkon package in Ubuntu:
Fix Released
Status in firefox package in Ubuntu:
Confirmed
Status in freecad package in Ubuntu:
Invalid
Status in geary package in Ubuntu:
Confirmed
Status in ghostwriter package in Ubuntu:
Fix Released
Status in gnome-packagekit package in Ubuntu:
Confirmed
Status in goldendict-webengine package in Ubuntu:
Confirmed
Status in kalgebra package in Ubuntu:
Fix Released
Status in kchmviewer package in Ubuntu:
Confirmed
Status in kdeplasma-addons package in Ubuntu:
Fix Released
Status in kgeotag package in Ubuntu:
Fix Released
Status in kiwix package in Ubuntu:
Confirmed
Status in kmail package in Ubuntu:
Fix Released
Status in konqueror package in Ubuntu:
Fix Released
Status in kontact package in Ubuntu:
Fix Released
Status in loupe package in Ubuntu:
Confirmed
Status in marble package in Ubuntu:
Fix Released
Status in notepadqq package in Ubuntu:
Confirmed
Status in opam package in Ubuntu:
Fix Released
Status in pageedit package in Ubuntu:
Confirmed
Status in plasma-desktop package in Ubuntu:
Fix Released
Status in plasma-welcome package in Ubuntu:
Fix Released
Status in privacybrowser package in Ubuntu:
Confirmed
Status in qmapshack package in Ubuntu:
Confirmed
Status in qutebrowser package in Ubuntu:
Confirmed
Status in rssguard package in Ubuntu:
Confirmed
Status in steam package in Ubuntu:
Fix Released
Status in supercollider package in Ubuntu:
Confirmed
Status in tellico package in Ubuntu:
Fix Released
Bug description:
Hi, I run Ubuntu development branch 24.04 and I have a problem with
Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
this error
$ epiphany
bwrap: Creating new namespace failed: Permission denied
** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch
dbus-proxy: Le processus fils s’est terminé avec le code 1
Trappe pour point d'arrêt et de trace (core dumped)
$ epiphany
bwrap: Creating new namespace failed: Permission denied
** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch
dbus-proxy: Le processus fils s’est terminé avec le code 1
Trappe pour point d'arrêt et de trace (core dumped)
Thanks for your help!
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@sudipmuk loupe should be fixed in Beta3 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@eeickmeyer geary should be fixed in Beta3 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@guyster, @eldmannen+launchpad, @valeryan-24 Firefox dailies now have a work around, by detecting and disabling the user namespace. The proper fix that should allow firefox to still use the user namespace for its sandbox will land in Beta3, landing early next week. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046477] Re: Enable unprivileged user namespace restrictions by default
@pitti: yes this intended. At this stage we are essentially enumerating
the known users of unprivileged user namespaces. We can ship the profile
for you or you are welcome to ship it.
In the future this is going to gradually tighten, some of the
"unconfined" profiles will be developed into real profiles, unconfined
(including these profiles) will get tied into integrity checks, or
require user exceptions in the security center, etc.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046477
Title:
Enable unprivileged user namespace restrictions by default
Status in apparmor package in Ubuntu:
Triaged
Bug description:
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-
namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626,
unprivileged user namespace restrictions for Ubuntu 23.10 are to be
enabled by default via a sysctl.d conf file in apparmor, and for that
to happen, the restrictions need to be enabled for 24.04
When the unprivileged user namespace restrictions are enabled, various
applications within and outside the Ubuntu archive fail to function,
as they use unprivileged user namespaces as part of their normal
operation.
A search of the Ubuntu archive for the 23.10 release was performed
looking for all applications that make legitimate use of the
CLONE_NEWUSER argument, the details of which can be seen in
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502
For each package identified in that list, an investigation was made to
determine if the application actually used this as an unprivileged
user, and if so which of the binaries within the package were
affected.
The full investigation can be seen in
https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
private) but is summarised to the following list of Ubuntu source
packages, as well as some out-of-archive applications that are known
to use unprivileged user namespaces.
For each of these binaries, an apparmor profile is required so that
the binary can be granted use of unprivileged user namespaces - an
example profile for the ch-run binary within the charliecloud package
is shown:
$ cat /etc/apparmor.d/ch-run
abi ,
include
profile ch-run /usr/bin/ch-run flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
However, in a few select cases, it has been decided not to ship an apparmor
profile, since this would effectively allow this mitigation to be bypassed. In
particular, the unshare and setns binaries within the util-linux package are
installed on every Ubuntu system, and allow an unprivileged user the ability to
launch an arbitrary application within a new user namespace. Any malicious
application then that wished to exploit an unprivileged user namespace to
conduct an attack on the kernel would simply need to spawn itself via `unshare
-U` or similar to be granted this permission. Therefore, due to the ubiquitous
nature of the unshare (and setns) binaries, profiles are not planned to be
provided for these by default.
Similarly, the bwrap binary within bubblewrap is also installed by default on
Ubuntu Desktop 24.04 and can also be used to launch arbitrary binaries within a
new user namespace and so no profile is planned to be provided for this either.
In Bug 2035315 new apparmor profiles were added to the apparmor
package for various applications which require unprivileged user
namespaces, using a new unconfined profile mode. They were also added
in the AppArmor upstream project.
As well as enabling the sysctl via the sysctl.d conf file, it is
proposed to add logic into the apparmor.service systemd unit to check
that the kernel supports the unconfined profile mode and that it is
enabled - and if not then to force disable the userns restrictions
sysctl via the following logic:
userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns)
unconfined_userns=$([ -f
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ]
&& cat
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ||
echo 0)
if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then
if [ "$unconfined_userns" -eq 0 ]; then
# userns restrictions rely on unconfined userns to be supported
echo "disabling unprivileged userns restrictions since unconfined userns
is not supported / enabled"
sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
fi
fi
This allows a local admin to disable the sysctl via the regular
sysctl.d conf approach, but to also make sure we don't inadvertently
enable it when it is not supported by the kernel.
To manage notifications about this bug go to:
[Touch-packages] [Bug 2046477] Re: Enable unprivileged user namespace restrictions by default
It solves several problems, but not all.
With regard to unprivileged user namespace mediation it should fix
- mscode
- nautilis
- devhelp
- element-desktop
- piphany
- evolution
- keybase
- opam
the element-desktop is still known to have some issues, which are on the snapd
side. It needs to add some interfaces etc.
there is a beta3 coming early next week with additional fixes coming.
The full set won't be finalized until beta3 is rolled this weekend.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046477
Title:
Enable unprivileged user namespace restrictions by default
Status in apparmor package in Ubuntu:
Triaged
Bug description:
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-
namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626,
unprivileged user namespace restrictions for Ubuntu 23.10 are to be
enabled by default via a sysctl.d conf file in apparmor, and for that
to happen, the restrictions need to be enabled for 24.04
When the unprivileged user namespace restrictions are enabled, various
applications within and outside the Ubuntu archive fail to function,
as they use unprivileged user namespaces as part of their normal
operation.
A search of the Ubuntu archive for the 23.10 release was performed
looking for all applications that make legitimate use of the
CLONE_NEWUSER argument, the details of which can be seen in
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502
For each package identified in that list, an investigation was made to
determine if the application actually used this as an unprivileged
user, and if so which of the binaries within the package were
affected.
The full investigation can be seen in
https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
private) but is summarised to the following list of Ubuntu source
packages, as well as some out-of-archive applications that are known
to use unprivileged user namespaces.
For each of these binaries, an apparmor profile is required so that
the binary can be granted use of unprivileged user namespaces - an
example profile for the ch-run binary within the charliecloud package
is shown:
$ cat /etc/apparmor.d/ch-run
abi ,
include
profile ch-run /usr/bin/ch-run flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
However, in a few select cases, it has been decided not to ship an apparmor
profile, since this would effectively allow this mitigation to be bypassed. In
particular, the unshare and setns binaries within the util-linux package are
installed on every Ubuntu system, and allow an unprivileged user the ability to
launch an arbitrary application within a new user namespace. Any malicious
application then that wished to exploit an unprivileged user namespace to
conduct an attack on the kernel would simply need to spawn itself via `unshare
-U` or similar to be granted this permission. Therefore, due to the ubiquitous
nature of the unshare (and setns) binaries, profiles are not planned to be
provided for these by default.
Similarly, the bwrap binary within bubblewrap is also installed by default on
Ubuntu Desktop 24.04 and can also be used to launch arbitrary binaries within a
new user namespace and so no profile is planned to be provided for this either.
In Bug 2035315 new apparmor profiles were added to the apparmor
package for various applications which require unprivileged user
namespaces, using a new unconfined profile mode. They were also added
in the AppArmor upstream project.
As well as enabling the sysctl via the sysctl.d conf file, it is
proposed to add logic into the apparmor.service systemd unit to check
that the kernel supports the unconfined profile mode and that it is
enabled - and if not then to force disable the userns restrictions
sysctl via the following logic:
userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns)
unconfined_userns=$([ -f
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ]
&& cat
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ||
echo 0)
if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then
if [ "$unconfined_userns" -eq 0 ]; then
# userns restrictions rely on unconfined userns to be supported
echo "disabling unprivileged userns restrictions since unconfined userns
is not supported / enabled"
sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
fi
fi
This allows a local admin to disable the sysctl via the regular
sysctl.d conf approach, but to also make sure we don't inadvertently
enable it when it is not supported by the kernel.
To manage notifications
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@valeryan-24 ModuleNotFoundError: No module named 'imp'" says that your Gpodder issue is not related to this bug. You are missing a dependency the 'imp' module. If Gpodder is packaged it will need to add that as part of its install dependencies. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
the plasmashell profile is necessary for it to work under unprivileged user namespace restrictions. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap), but it's definitely worth mentioning. An example of one of Thunderbird's fallback notifications
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
** Changed in: steam (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in AppArmor: New Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in loupe package in Ubuntu: Confirmed Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Released Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
the rejects here are all from the snap.element-desktop.element-desktop profile. We will need to dig into that profiles permissions. If its getting all the right paths correct then I suspect the peer_label match might be the issue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same
[Touch-packages] [Bug 2057943] Re: Can't disable or modify snap package apparmor rules
If you are admin of your system, you can manually replace snap profiles.
But there are some caveats in that snapd doesn't really want this. It
manages its profiles, dynamically regenerates and replaces them etc.
You are correct that the tooling doesn't work here. It expects the
abstractions to be in the same directory as the profile, which snapd
profiles dir doesn't do.
I put this as a wish list as its a feature development request to make
the tooling support abstractions in a different location than the
profile.
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2057943
Title:
Can't disable or modify snap package apparmor rules
Status in apparmor package in Ubuntu:
New
Bug description:
On Ubuntu 20.04 (and probably 22.04 and greater), it is impossible to
disable snap chromium apparmor rules:
root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure
Can't find chromium.hook.configure in the system path list. If the name of
the application
is correct, please run 'which snap.chromium.hook.configure' as a user with
correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter.
root@{HOSTNAME}:~# aa-complain snap.chromium.chromedriver -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
root@{HOSTNAME}:~# aa-complain snap.chromium.chromium -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global
not found
It seems like no one has an answer on how these overly restricted
rules can be disabled:
https://askubuntu.com/questions/1267980/how-to-disable-apparmor-for-chromium-snap-ubuntu-20-04
https://ubuntuforums.org/showthread.php?t=2410550
https://ubuntuforums.org/showthread.php?t=2449022
https://answers.launchpad.net/ubuntu/+source/apparmor/+question/701036
So I just got rid of apparmor which doesn't seem like the solution I
was after, but it works great now:
sudo systemctl stop apparmor
sudo systemctl disable apparmor
Please give us a way to modify (and keep the rules permanently
modified even after snap updates) snap apparmor rules.
Thank you!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
Yes, will do I added both reference you provided to the upstream merge commit and all fixes/closes references will be going into the changelog. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" Status in apparmor package in Ubuntu: In Progress Status in chrony package in Ubuntu: Won't Fix Status in gnutls28 package in Ubuntu: Won't Fix Status in libvirt package in Ubuntu: Won't Fix Status in apparmor source package in Noble: In Progress Status in chrony source package in Noble: Won't Fix Status in gnutls28 source package in Noble: Won't Fix Status in libvirt source package in Noble: Won't Fix Bug description: Christian summarizes this after the great reports by Martin: gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 and added more later. Due to that anything linked against gnutls while being apparmor isolated now hits similar denials, preventing the desired effect of the config change BTW. I think for safety we WANT to always allow this access, otherwise people will subtly not have crypto control about the more important (those isolated) software. Because after the denial I'd expect this to not really disable it in the program linked to gnutls (details might vary depending what they really use gnutls for). I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now fixing a few but leaving this open in some others not spotted. I'd therefore suggest, but we need to discuss, to therefore change it in /etc/apparmor.d/abstractions/base. Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug tasks. --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039294] Re: apparmor docker
@gvarouchas, you need to be more specific. There are a couple interrelated issues in this bug. What is the exact Denial message you are getting. The will look something like the denial messages in comment 5. You can find them using sudo dmesg | grep DENIED or journalctl -g apparmor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker Status in docker: New Status in apparmor package in Ubuntu: Incomplete Bug description: No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 23.10 Release:23.10 Codename: mantic Docker version 24.0.5, build 24.0.5-0ubuntu1 Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all signals?) doesn't reach the target process. Works when apparmor is uninstalled. [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172626 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc" [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172633 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/sbin/runc" To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056517] Re: VS Code profile still broken.
This is now moving forward and should show up in proposed soon. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056517 Title: VS Code profile still broken. Status in apparmor package in Ubuntu: Confirmed Bug description: Ubuntu 24.04, VSCode installed via their repo (https://packages.microsoft.com/repos/code) Some updates ago apparmor gained an exception for /usr/bin/code to work again. The desktop file uses `/usr/share/code/code` though (see /usr/share/applications/code.desktop), so starting vscode from the dock, or from the app search results in a crash: /usr/share/code/code [88564:0308/080414.682744:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13) zsh: trace trap (core dumped) /usr/share/code/code Could the profile be fixed to include all common ways to start vscode? My current workaround is to run this on every boot: sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056517] Re: vsode profile still broken
I won't promise we will get to fixing PHPStorm or Jetbrains before release, but without a bug they certainly won't get fixed, so yes it is worth filing a bug for them. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056517 Title: vsode profile still broken Status in apparmor package in Ubuntu: New Bug description: Ubuntu 24.04, VSCode installed via their repo (https://packages.microsoft.com/repos/code) Some updates ago apparmor gained an exception for /usr/bin/code to work again. The desktop file uses `/usr/share/code/code` though (see /usr/share/applications/code.desktop), so starting vscode from the dock, or from the app search results in a crash: /usr/share/code/code [88564:0308/080414.682744:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13) zsh: trace trap (core dumped) /usr/share/code/code Could the profile be fixed to include all common ways to start vscode? My current workaround is to run this on every boot: sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056517] Re: vsode profile still broken
The fix for vscode is currently in apparmor 4.0.0-beta2-0ubuntu3 pending a Feature Freeze exception. If the feature freeze exception is not granted then the fix will be moved to a bug patch on the current apparmor 4.0.0-alpha4 Atm the fix is available via ppa https://launchpad.net/~apparmor- dev/+archive/ubuntu/apparmor-ffe -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056517 Title: vsode profile still broken Status in apparmor package in Ubuntu: New Bug description: Ubuntu 24.04, VSCode installed via their repo (https://packages.microsoft.com/repos/code) Some updates ago apparmor gained an exception for /usr/bin/code to work again. The desktop file uses `/usr/share/code/code` though (see /usr/share/applications/code.desktop), so starting vscode from the dock, or from the app search results in a crash: /usr/share/code/code [88564:0308/080414.682744:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13) zsh: trace trap (core dumped) /usr/share/code/code Could the profile be fixed to include all common ways to start vscode? My current workaround is to run this on every boot: sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
** Description changed: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below Ran 62 tests in 811.542s OK (skipped=3) - apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Reboot tests have been done, as well as booting in - to different kernel versions. -6.8.0-11-generic #11-Ubuntu -6.5.0-14-generic #14-Ubuntu -6.7.0 (custom build) -6.8-rc3 (custom build) + apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Boot/Reboot and regression tests have been done, against + different kernel versions. + 6.8.0-11-generic #11-Ubuntu + 6.5.0-14-generic #14-Ubuntu + 6.7.0 (upstream custom build) + 6.8-rc3 (upstream custom build) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble Status in apparmor package in Ubuntu: New Bug description: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None
[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
** Description changed: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) - - This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d - + This proposed change has been tested via the QA Regression Testing + project, in particular with the specific test added in + https://git.launchpad.net/qa-regression- + testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below - Ran 62 tests in 811.542s + Ran 62 tests in 811.542s - OK (skipped=3) + OK (skipped=3) + apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Reboot tests have been done, as well as booting in + to different kernel versions. +6.8.0-11-generic #11-Ubuntu +6.5.0-14-generic #14-Ubuntu +6.7.0 (custom build) +6.8-rc3 (custom build) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble Status in apparmor package in Ubuntu: New Bug description: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy,
[Touch-packages] [Bug 2056496] [NEW] [FFe] AppArmor 4.0-beta2 + prompting support for noble
Public bug reported: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below Ran 62 tests in 811.542s OK (skipped=3) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble Status in apparmor package in Ubuntu: New Bug description: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation
[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
Captured output of QRT test run on updated noble using Linux 6.8.0-11-generic #11-Ubuntu kernel and 4.0.0~beta2-0ubuntu3 ** Attachment added: "Captured output of QRT test run" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+attachment/5753923/+files/qrt.output -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble Status in apparmor package in Ubuntu: New Bug description: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below Ran 62 tests in 811.542s OK (skipped=3) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@scarlet I think it is fair to mark these as Fixed released as they are part of apparmor-alpha4 that is in noble. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: New Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Committed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
This is part of the apparmor alpha4 release in noble ** Changed in: plasma-desktop (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: New Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Committed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
This is part of the alpha4 release in noble ** Changed in: kdeplasma-addons (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: New Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Fix Released Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Fix Released Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Committed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
** Also affects: firefox (Ubuntu) Importance: Undecided Status: New ** Changed in: firefox (Ubuntu) Milestone: None => ubuntu-24.04 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akonadiconsole package in Ubuntu: Fix Released Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Fix Released Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Fix Released Status in evolution package in Ubuntu: Fix Released Status in falkon package in Ubuntu: Fix Released Status in firefox package in Ubuntu: New Status in freecad package in Ubuntu: Confirmed Status in geary package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kgeotag package in Ubuntu: Fix Released Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Fix Released Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in plasma-welcome package in Ubuntu: Fix Released Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Committed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2055426] [NEW] busybox wget with https crashes
Public bug reported: $ busybox wget https://start.ubuntu.com Floating point exception (core dumped) ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: busybox (not installed) ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4 Uname: Linux 6.8.0-11-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Feb 29 13:55:07 2024 InstallationDate: Installed on 2024-02-20 (9 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Daily amd64 (20240219) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: busybox UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: busybox (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug noble wayland-session -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/2055426 Title: busybox wget with https crashes Status in busybox package in Ubuntu: New Bug description: $ busybox wget https://start.ubuntu.com Floating point exception (core dumped) ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: busybox (not installed) ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4 Uname: Linux 6.8.0-11-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Feb 29 13:55:07 2024 InstallationDate: Installed on 2024-02-20 (9 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Daily amd64 (20240219) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: busybox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/2055426/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
Proxying a few comments I've heard from cloud partners about uses: There are some big companies, particularly in the streaming media and encoding business heavily using irqbalance. _however_ our consideration is about irqbalance enabled by default. They do heavy tuning, not running stock values. For those customers, it'll primarily be about workflow changes. install a package, run an extra line enabling irqbalance, etc. I, personally, don't see that as a blocker for making the change in 24.04. Those types of companies won't take bleeding edge, and will likely be going through a testing and upgrade effort that takes months, not auto-rolling to "ubuntu:latest." Least, i sure hope not :) I'll take some followups again with partners to see if any individuals can comment on the public bug. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in Ubuntu on IBM z Systems: Confirmed Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop; SUPPORT_URL="http://support.system76.com; BUG_REPORT_URL="https://github.com/pop-os/pop/issues; PRIVACY_POLICY_URL="https://system76.com/privacy; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2052489] Re: Mate Daily Graphic Layer does not come up - apparmor denied snap desktop integration
Changed apparmor task to invalid as lightdm is broken with apparmor disabled (apparmor=0). We can change status if apparmor is a problem after the current lightdm issue is fixed. ** Changed in: apparmor (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2052489 Title: Mate Daily Graphic Layer does not come up - apparmor denied snap desktop integration Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: New Bug description: Noble Mate Daily 20230205 ISO Boots up past Splash to black screen. Last errors in logs are about apparmor denied on snap desktop integration... So the graphics layer is being denied because of an apparmor error. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051572] Re: Always preseed core and snapd snap in server seed
Based on the data, I'm in the "No" camp as well. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2051572 Title: Always preseed core and snapd snap in server seed Status in ubuntu-meta package in Ubuntu: New Status in ubuntu-meta source package in Noble: New Bug description: In removing the LXD snap from preseeding in the server seed for Ubuntu 24.04 as part LP #2051346 [1] we also removed the snapd snap and the core22 snap. This means that are subsequent snap install, like LXD, will take much longer than expected for a non minimized image. Time taken to install LXD snap using the lxd-installer package without snapd and core22 preinstalled/seeded ``` ubuntu@cloudimg:~$ time sudo lxd --version Installing LXD snap, please be patient. 5.19 real 0m29.107s user 0m0.006s sys 0m0.005s ``` Time taken to install LXD snap using the lxd-installer package with snapd and core22 already installed. ``` ubuntu@cloudimg:~$ time sudo lxd --version Installing LXD snap, please be patient. 5.19 real 0m15.034s user 0m0.005s sys 0m0.005s ``` This is a significant difference and for a workload we intend to remain as a core tested and tracked workload. As such I propose we re- introduce core22 and snapd snaps to our seed. LXD do intend to move to the core24 snap as their base as I'm sure snapd does too so when that does happen we need to update the preseeded core snap. This bug is to track the work of making that change in the server seed @ https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/tree/server#n69 [1] https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2051346 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2051572/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051572] Re: Always preseed core and snapd snap in server seed
I agree with vorlon in general. It is a bit odd to not be seeding snapd by default, since snaps are a recognized package format. preseeding snapd will bring in its base, but there's no guarantee that base will match any other snaps. Flip side is that somewhere back in history, it was decided that in a system without any other snaps preseeded, that having the snapd deb, which exists to bootstrap itself into a snapd snap, was the right choice. so let's narrow the cases we know of: * pre-installed systems with no other snaps pre-seeded That limits itself, right now, to cloud-images "downloads" (the qcow, ova, etc). Right now the cloud team sees a fairly long time in running `lxd` commands, as we specifically have a mandate to ensure `lxd` is operating well on our cloud-images. what we don't know right now * boot time differences with adding the snaps back in (from old reading it looks anywhere from 3-5s, which is a nice little gain) * the amount of time/slow down for `lxd` booting from `lxd-installer` in a "no snaps pre-seeded" setting * the _usage_ and _expectation_ about the speed here. We definitely support running lxd on cloud-images. and we know it is a use case. but we don't know if this is a "many users" or "a couple users," and we don't know their expectations regarding speed. We may be able to roll out with good documentation letting everyone know what the change is, what to expect, etc. The more info we can gather on our side for time cost the better. getting some data comparisons across the following would be good: * boot times w/ and w/o preseeded snaps * lxd launch time with no preseeded, snapd + it's core snap preseeded, and "other cloud cases that have preseeded snaps" (thinking like ec2 or oracle that have snapped cloud agents) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2051572 Title: Always preseed core and snapd snap in server seed Status in ubuntu-meta package in Ubuntu: New Status in ubuntu-meta source package in Noble: New Bug description: In removing the LXD snap from preseeding in the server seed for Ubuntu 24.04 as part LP #2051346 [1] we also removed the snapd snap and the core22 snap. This means that are subsequent snap install, like LXD, will take much longer than expected for a non minimized image. Time taken to install LXD snap using the lxd-installer package without snapd and core22 preinstalled/seeded ``` ubuntu@cloudimg:~$ time sudo lxd --version Installing LXD snap, please be patient. 5.19 real 0m29.107s user 0m0.006s sys 0m0.005s ``` Time taken to install LXD snap using the lxd-installer package with snapd and core22 already installed. ``` ubuntu@cloudimg:~$ time sudo lxd --version Installing LXD snap, please be patient. 5.19 real 0m15.034s user 0m0.005s sys 0m0.005s ``` This is a significant difference and for a workload we intend to remain as a core tested and tracked workload. As such I propose we re- introduce core22 and snapd snaps to our seed. LXD do intend to move to the core24 snap as their base as I'm sure snapd does too so when that does happen we need to update the preseeded core snap. This bug is to track the work of making that change in the server seed @ https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/tree/server#n69 [1] https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2051346 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2051572/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
** Changed in: steam (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: In Progress Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Fix Released Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kgeotag package in Ubuntu: In Progress Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in plasma-welcome package in Ubuntu: In Progress Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Fix Committed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
So appimages are interesting. They don't all need a profile. I have run several that are not using user namespaces, or only need to be able to create the user namespace and don't need capabilities so the default unpriviled_userns profile works for them. It is applications that need privileges within their namespace that are problematic. Right now no matter what we do, we are stuck with less than satisfactory solutions. The user must physically intervene in some way to make it so the application can run. I see basically 3 options. 1. Just have the user fix manually, a really bad experience. 2. Seth's suggestion of creating a small script to create a template profile 3. have a default profile already loaded as part of the base set and go with the security label approach. ie. tag the appimage with an apparmor security xattr. Neither 2, or 3 can determine the set of needed capabilities in advance, but the current approach is to just grant the capabilities (unconfined mode), we will be able to restrict that better in 24.10 but there just isn't time to land the improved capabilities work for 24.04. Approach 1 could address the capabilities but, that is an awful lot of pain to put on the user. All approaches will require user to have access to sudo because loading profiles and creating the security xattr are privileged operations. If aa-notify is installed we could alert the user, and give them directions to a document explaining what to do. This would require some work to seed aa-notify by default (would have to be approved by the different flavors). To make this more amenable we could add a new mode/default filter that only notifies for user namespace denials. This is a small chunk of work that could be achieved in the next two weeks. The long term goal is to create a behavior similar to what the mac is doing with downloaded applications. The unknown application will create a prompt and the user will need to go to the security center to enable it. As for restraints on appimages, I wouldn't bother for 24.04, there just isn't time. This side of things will get improvements as well. These template profiles are just a start and are to get fleshed out in the future. Prompting the user for certain accesses etc is coming in the future as well. For now lets just focus on the basics of getting applications to work. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: In Progress Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Fix Released Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kgeotag package in Ubuntu: In Progress Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in plasma-welcome package in Ubuntu: In Progress Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied **
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Erich, yes the archive version is based on the ppa, with a couple small fixes in the packaging. The ppa is going to get updated based the new archive version + a few more patches. Do you have some higher priority electron apps that you can point us at. We will look into the Visual Studo and Element Desktop debs. Please keep adding applications to the list. We want to cover as many out of tree applications as we can. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: In Progress Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Fix Released Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kgeotag package in Ubuntu: Confirmed Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: In Progress Status in kontact package in Ubuntu: In Progress Status in marble package in Ubuntu: In Progress Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: In Progress Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
responding to @intrigeri (sorry this got lost some how).
tldr: yes we are basically on the same page.
AppArmor does not fit into the 1400 range formats, every one of our
messages have some custom fields. Some of them could be
reformated/reworked to share more, but we would still need custom
fields.
Our message fields are in the common name=value format. So in that sense
they do fit in.
Kernel side this is fairly easy, we use common lsm_audit for the
messages we share in common, the code provides a callback to add your
own fields. Basically all that is needed is patch to allow different
number ranges to be used.
Userspace there needs to be some patching so LSM specific fields are
known about.
Whether is best to allocate new fields in a single number (say 1500),
with no fixed number of fields to output or it better to split into a
range of based on message type, I am not picky. When 1500 was taken away
from us I think it was 1500-1505 that we used, but expect we wouldn't
use the same mappings today if we had a choice.
so we have the generic audit type that is carried { audit, allowed,
denied, killed, prompt, hint, status, error }
this could carried as a common field, or we could use an allocated block
for
we have rule class, which is another way things are broken down, its
things like { file, cap, network, dbus, ...} there are currently about
25 of them currently.
common fields that can occur within apparmor messages { operation, info,
error, namespace, profile, label }, some fields aren't output if not
needed. Eg. we are auditing an access to say /etc/shadow that is allowed
but we want an audit trail for error won't be output, if its a system
status message that is not generated by a profiles rule set, profile=
won't be used. This set does not lend itself to an audit range as they
each take on basically a string value.
Then within a given class there are set of fields, some of them are shared by
several classes, but not all, and there are some that are only used by a single
class. Some examples would be, most mediation class share requested= and
denied= the values are class depended even those may be shared by a subset of
classes.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1117804
Title:
ausearch doesn't show AppArmor denial messages
Status in AppArmor:
Confirmed
Status in audit package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Incomplete
Bug description:
The following command should display all AVC denials:
ausearch -m avc
However, it doesn't work with AppArmor denials. Here's a quick test
case to generate a denial, search for it with ausearch, and see that
no messages are displayed:
$ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
cat: /proc/self/attr/current: Permission denied
$ sudo ausearch -m avc -c cat
ausearch claims that there are no matches, but there's a matching
audit message if you look in audit.log:
type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
operation="open" parent=8253 profile="/usr/sbin/tcpdump"
name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
One more addition, the current state of how unconfined deals with unprivileged user namespaces is a temporary limitation. The afore mentioned improvement will allow for more customization at the policy level. The current fixed behavior will be the default. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: In Progress Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Fix Released Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: In Progress Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: In Progress Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: In Progress Status in konqueror package in Ubuntu: In Progress Status in kontact package in Ubuntu: In Progress Status in marble package in Ubuntu: In Progress Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: In Progress Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
So the answer is it depends on how they are using unprivileged user namespaces and how they react to them being denied, not every application needs to patched separately. Generally speaking gnome has been better tested than KDE had because gnome being the Ubuntu default saw a lot more opt in testing in Lunar and Mantic. There is also some differences in how gnome and KDE handle their respective use of their respective browser components that has made KDE current require more direct patching. We do have some improvements coming down the pipes that will make it easier to have a few some more generic profiles to cover different use patterns. Eg. not all uses of user namespaces set up mappings for the user, some will fallback to a degrade sandbox if an unprivileged user namespace isn't available while others will refuse to function. Scarlett us doing excellent work within the current limitations. That work will continue to function once the improvements have landed, but it is likely you will see refinements on the current work once those improvements are available. In general developers are going to have to become aware that user namespaces are going to be more restricted going forward, as its not just Canonical/apparmor pushing on this but SELinux, and likely other LSMs as well in the future. Eg. I have seen BPF LSM using this, and I expect to see some work on the smack side, because the original LSM hook proposals for user namespace mediation came out some work they did. As for Gnome devs being aware of this bug, yes some are but it has not atm been a major issue for them. Long term I expect both KDE and gnome to take this is a policy issue for the respective LSMs, except when it surfaces code bugs, like some of their library code failing to check if clone/unshare failed, leading to a crash. Fixing policy to deal with how applications, gnome and KDE use user namespaces will be largely an upstream LSM, or distro problem. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: In Progress Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Fix Released Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: In Progress Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: In Progress Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: In Progress Status in konqueror package in Ubuntu: In Progress Status in kontact package in Ubuntu: In Progress Status in marble package in Ubuntu: In Progress Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: In Progress Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help :
[Touch-packages] [Bug 2052558] [NEW] prompting does not allow userspace to specify the execmode or target profile
Public bug reported: Currently the prompting interface does not allow userspace to specify the execmode to use, even if there is no matching exec rule in policy (case caused by prompt flag). Nor does it allow specifying the target profile (needed for certain exec modes). It also does not allow overriding of the mode like it allows for other permissions. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2052558 Title: prompting does not allow userspace to specify the execmode or target profile Status in apparmor package in Ubuntu: New Bug description: Currently the prompting interface does not allow userspace to specify the execmode to use, even if there is no matching exec rule in policy (case caused by prompt flag). Nor does it allow specifying the target profile (needed for certain exec modes). It also does not allow overriding of the mode like it allows for other permissions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052558/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2052557] [NEW] EXEC_MODE under prompting does not do profile transitions correctly
Public bug reported: When a prompt rule that specifies an exec transition. The transition is not handled correctly in several cases. Resulting in denials even if the prompt is allowed. When prompting is triggered by the prompt flag, the behavior depends if an exec rule is matched (behavior becomes the same as the above prompt rule), or if there is no matching exec rule. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Description changed: When a prompt rule that specifies an exec transition. The transition is not handled correctly in several cases. Resulting in denials even if the prompt is allowed. + + When prompting is triggered by the prompt flag, the behavior depends if + an exec rule is matched (behavior becomes the same as the above prompt + rule), or if there is no matching exec rule. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2052557 Title: EXEC_MODE under prompting does not do profile transitions correctly Status in apparmor package in Ubuntu: New Bug description: When a prompt rule that specifies an exec transition. The transition is not handled correctly in several cases. Resulting in denials even if the prompt is allowed. When prompting is triggered by the prompt flag, the behavior depends if an exec rule is matched (behavior becomes the same as the above prompt rule), or if there is no matching exec rule. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052557/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2052489] Re: Mate Daily Graphic Layer does not come up - apparmor denied snap desktop integration
Note: snap now vendors apparmor so reinstalling/removing the system apparmor package with not affect snapd's use of apparmor. You can temporarily (for the boot) disable apparmor in the grub command line by adding apparmor=0 to the kernel parameters. >From the logs the following adjustments need to be done to snap policy, after fixing these new denials may be encountered. The firefox denial is weird, and I have to ask why is root trying to run firefox. The likely culprits are /snap/snapd/20671/usr/lib/snapd/snap-confine and snap.snapd-desktop-integration.snapd-desktop-integration. Can you try copying these profiles out of /var/lib/snapd/apparmor/profiles/ modifying them by putting flags=(complain) in the profile header, and then reloading them with sudo apparmor_parser -r profile.file. This will temporarily place these profiles in dev mode and if they are the source of the problem allow the graphics layer to come up. profile snap-update-ns.firefox /usr/local/share/ r, # owner root, fsuid root profile /snap/snapd/20671/usr/lib/snapd/snap-confine capability net_admin, capability perfmon, profile snap.snapd-desktop-integration.snapd-desktop-integration /etc/gnutls/config r, # owner root, fsuid 1000 /etc/gnutls/config r, # owner root, fsuid 1000 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2052489 Title: Mate Daily Graphic Layer does not come up - apparmor denied snap desktop integration Status in apparmor package in Ubuntu: New Bug description: Noble Mate Daily 20230205 ISO Boots up past Splash to black screen. Last errors in logs are about apparmor denied on snap desktop integration... So the graphics layer is being denied because of an apparmor error. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
We have found that allowing the user namespace creation, and then denying capabilities is in general handled much better by KDE. The the case of the plasmashell and the browswer widget denying the creation of the user namespace would cause a crash with a SIGTRAP backtrace, where allowing the creation of the userns and then denying capabilities within the user namespace would result in the browser widget falling back to a sandbox that didn't use user namespaces, not ideal but better than a crash. To make sure the widget was using the full sandbox we gave it a profile (see QtWebEngineProcess in /etc/apparmor.d/plasmashell). The apparmor package is adding a base set of profiles, including one for the plasmashell and the unprivileged_userns profile. We are willing to carry profiles in the apparmor package but are also happy for other packages to carry them. Generally speaking, having the profile carried in the package means its easier for the package maintainer to update the profile, if that is something the package maintainer is willing to do. We are more than willing to take in profiles and patches to profiles, or allow a maintainer to claim some profiles and move them out of the apparmor package. What ever is best for the maintainer. AppArmor does have a second set of profiles that are not installed by default in the apparmor-profiles package. These profiles once installed are not enabled by default but must be selectively enabled by the user. If you are looking for a broader set of profiles as a base to start from there is also the apparmor.d project https://github.com/roddhjav/apparmor.d. They aren't tuned for ubuntu but they can be a good starting point if a profile is needed. Note: the current apparmor package doesn't allow you to specify the userns transition in policy. A new version of the apparmor package is coming that will allow it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Confirmed Status in angelfish package in Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Confirmed Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Confirmed Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Confirmed Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kiwix package in Ubuntu: Confirmed Status in konqueror package in Ubuntu: Confirmed Status in kontact package in Ubuntu: Confirmed Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051454] Re: pipewire wireplumber can not detect the sound output device when using an unofficial linux kernel
A slightly revised version of this kernel should be showing up in the Ubuntu unstable kernel builds this week. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2051454 Title: pipewire wireplumber can not detect the sound output device when using an unofficial linux kernel Status in apparmor package in Ubuntu: Confirmed Status in pipewire package in Ubuntu: Confirmed Status in wireplumber package in Ubuntu: Confirmed Bug description: Ubuntu 24.04 noble I tested on Kernel-6.7.2, 6.7.1, 6.6.8, don't work. relating service status: gsd-media-keys[6441]: gvc_mixer_card_get_index: assertion 'GVC_IS_MIXER_CARD (card)' failed pipewire-pulse[5768]: mod.protocol-pulse: client 0x5e701af4f9a0 [Mutter]: ERROR command:-1 (invalid) tag:418 error:25 (Input/output error) pipewire-pulse[5768]: mod.protocol-pulse: client 0x5e701af4f9a0 [Mutter]: ERROR command:-1 (invalid) tag:426 error:25 (Input/output error) pipewire-pulse[5298]: default: snap_get_audio_permissions: failed to get the AppArmor info. wireplumber[61568]: si-standard-link: in/out items are not valid anymore wireplumber[61568]: 2 of 2 PipeWire links failed to activate It's worked on kernel linux-image-6.5.0-14-generic. I built the same version 1.0.1 from the https://gitlab.freedesktop.org/pipewire source code, The sound card can be detected normally and shown in the gnome setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2051454/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046624] Re: apparmor breaks surfshark vpn
*** This bug is a duplicate of bug 2046844 *** https://bugs.launchpad.net/bugs/2046844 The surfshark profile has been uploaded to the https://launchpad.net/~apparmor-dev/+archive/ubuntu/unprivileged-userns ppa for testing -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046624 Title: apparmor breaks surfshark vpn Status in apparmor package in Ubuntu: New Bug description: with the new apparmor Candidate: 4.0.0~alpha2-0ubuntu7 Breaks my VPN *surfshark [33104:1216/072144.904027:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13) Trace/breakpoint trap It will work with --no-sandbox "surfshark --no-sandbox" not ideal. I removed apparmor for proof *apt policy apparmor apparmor: Installed: (none) Candidate: 4.0.0~alpha2-0ubuntu7 Version table: 4.0.0~alpha2-0ubuntu7 500 500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages Now my VPN works as expected, spent 2 hrs this morning with surfshark support, they will get back to me in a day or two, but they can't find anything wrong on their end. So far it points to apparmor ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: apparmor (not installed) ProcVersionSignature: Ubuntu 6.5.0-9.9-generic 6.5.3 Uname: Linux 6.5.0-9-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia zfs ApportVersion: 2.27.0-0ubuntu6 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: XFCE Date: Sat Dec 16 10:40:00 2023 InstallationDate: Installed on 2023-12-10 (6 days ago) InstallationMedia: Xubuntu 24.04 "Noble Numbat" - Daily amd64 (20231127) SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.apport: # set this to 0 to disable apport, or to 1 to enable it # you can temporarily override this with # sudo service apport start force_start=1 enabled=0 mtime.conffile..etc.default.apport: 2023-12-12T09:43:48.905263 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046624/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047343] Re: The steam profile in 4.0.0~alpha2-0ubuntu7 does not support steam installed by steam-installer package
the adjusted steam profile has been uploaded to https://launchpad.net/~apparmor-dev/+archive/ubuntu/unprivileged-userns ppa for testing -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2047343 Title: The steam profile in 4.0.0~alpha2-0ubuntu7 does not support steam installed by steam-installer package Status in apparmor package in Ubuntu: New Status in steam-installer package in Ubuntu: New Bug description: The steam profile in 4.0.0~alpha2-0ubuntu7 only supports steam installed from the official website (https://cdn.cloudflare.steamstatic.com/client/installer/steam.deb), but does not support the installation by the steam-installer in the repository. The new user namespace creation restrictions will prevent steam installed by steam-installer from running Windows games. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2047343/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Sorry for the delay on this, we had some bugs to chase down. The following PPA has an update to how user namespace mediation is being handled. For the unconfined case there are two options 1. If the unprivileged_userns profile does not exist, unprivileged user namespace creation is denied as before. 2. If the unprivileged_userns profile exists (ie. is loaded into the kernel), unprivileged user namespace creation is allowed an will result in a transition into the unprivileged_userns profile. The unprivileged_userns profile with then deny all capabilities within the profile. Execution of applications is allowed within the unprivileged_userns profile but, they will result in a stack with the unprivileged_userns profile, that is to say the unprivileged_userns profile can not be dropped (capabilities can not be gained). There is still some additional functionality to land that will give profile authors more control, but what is present here should be enough to start testing. https://launchpad.net/~apparmor-dev/+archive/ubuntu/unprivileged-userns Note: the apparmor_restriction_unprivileged_unconfined needs to be enabled to test the above user namespace behavior. See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Confirmed Status in angelfish package in Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Confirmed Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Confirmed Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Confirmed Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kiwix package in Ubuntu: Confirmed Status in konqueror package in Ubuntu: Confirmed Status in kontact package in Ubuntu: Confirmed Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046477] Re: Enable unprivileged user namespace restrictions by default
We will get this updated with requested information soon. We are
currently working on a revision that provides more flexibility and will
support some cases that break today.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046477
Title:
Enable unprivileged user namespace restrictions by default
Status in apparmor package in Ubuntu:
Triaged
Bug description:
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-
namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626,
unprivileged user namespace restrictions for Ubuntu 23.10 are to be
enabled by default via a sysctl.d conf file in apparmor, and for that
to happen, the restrictions need to be enabled for 24.04
When the unprivileged user namespace restrictions are enabled, various
applications within and outside the Ubuntu archive fail to function,
as they use unprivileged user namespaces as part of their normal
operation.
A search of the Ubuntu archive for the 23.10 release was performed
looking for all applications that make legitimate use of the
CLONE_NEWUSER argument, the details of which can be seen in
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502
For each package identified in that list, an investigation was made to
determine if the application actually used this as an unprivileged
user, and if so which of the binaries within the package were
affected.
The full investigation can be seen in
https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
private) but is summarised to the following list of Ubuntu source
packages, as well as some out-of-archive applications that are known
to use unprivileged user namespaces.
For each of these binaries, an apparmor profile is required so that
the binary can be granted use of unprivileged user namespaces - an
example profile for the ch-run binary within the charliecloud package
is shown:
$ cat /etc/apparmor.d/ch-run
abi ,
include
profile ch-run /usr/bin/ch-run flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
However, in a few select cases, it has been decided not to ship an apparmor
profile, since this would effectively allow this mitigation to be bypassed. In
particular, the unshare and setns binaries within the util-linux package are
installed on every Ubuntu system, and allow an unprivileged user the ability to
launch an arbitrary application within a new user namespace. Any malicious
application then that wished to exploit an unprivileged user namespace to
conduct an attack on the kernel would simply need to spawn itself via `unshare
-U` or similar to be granted this permission. Therefore, due to the ubiquitous
nature of the unshare (and setns) binaries, profiles are not planned to be
provided for these by default.
Similarly, the bwrap binary within bubblewrap is also installed by default on
Ubuntu Desktop 24.04 and can also be used to launch arbitrary binaries within a
new user namespace and so no profile is planned to be provided for this either.
In Bug 2035315 new apparmor profiles were added to the apparmor
package for various applications which require unprivileged user
namespaces, using a new unconfined profile mode. They were also added
in the AppArmor upstream project.
As well as enabling the sysctl via the sysctl.d conf file, it is
proposed to add logic into the apparmor.service systemd unit to check
that the kernel supports the unconfined profile mode and that it is
enabled - and if not then to force disable the userns restrictions
sysctl via the following logic:
userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns)
unconfined_userns=$([ -f
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ]
&& cat
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ||
echo 0)
if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then
if [ "$unconfined_userns" -eq 0 ]; then
# userns restrictions rely on unconfined userns to be supported
echo "disabling unprivileged userns restrictions since unconfined userns
is not supported / enabled"
sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
fi
fi
This allows a local admin to disable the sysctl via the regular
sysctl.d conf approach, but to also make sure we don't inadvertently
enable it when it is not supported by the kernel.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046477/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help :
[Touch-packages] [Bug 2037604] Re: Backport packages for 22.04.4 HWE stack
i guess rebuilding gnome snaps with proposed on arm64 and testing that new gnome snap on mantic for pi5 & x1s would help. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mesa in Ubuntu. https://bugs.launchpad.net/bugs/2037604 Title: Backport packages for 22.04.4 HWE stack Status in directx-headers package in Ubuntu: Invalid Status in mesa package in Ubuntu: Invalid Status in rust-bindgen package in Ubuntu: Invalid Status in rust-clang-sys package in Ubuntu: Invalid Status in directx-headers source package in Jammy: Fix Committed Status in mesa source package in Jammy: Fix Committed Status in rust-bindgen source package in Jammy: Invalid Status in rust-clang-sys source package in Jammy: Invalid Bug description: [Impact] The graphics HWE stack from mantic needs to be backported for 22.04.4 directx-headers - build-dep of the new Mesa mesa - new major release (23.2.x) - new HW support, Meteor Lake.. [Test case] We want to cover at least 2-3 different, widely used and already previously supported GPU generations from both AMD and Intel which are supported by this release, as those are the ones that cover most bases; nouveau users tend to switch to the NVIDIA blob after installation. No need to test ancient GPU's supported by mesa-amber. And best to focus on the newer generations (~5y and newer) as the older ones are less likely to break at this point. - AMD: Vega, Navi1x (RX5000*), Navi2x (RX6000*), Navi3x (RX7000*) - Intel: gen9 (SKL/APL/KBL/CFL/WHL/CML), gen11 (ICL), gen12 (TGL/RKL/RPL/DG2) Install the new packages and run some tests: - check that the desktop is still using hw acceleration and hasn't fallen back to swrast/llvmpipe - run freely available benchmarks that torture the GPU (Unigine Heaven/Valley/Superposition) - run some games from Steam if possible and in each case check that there is no gfx corruption happening or worse. Note that upstream releases have already been tested for OpenGL and Vulkan conformance by their CI. [Where things could go wrong] This is a major update of Mesa, there could be regressions but we'll try to catch any with testing. And since it shares bugs with mantic, we'd already know if there are serious issues. We will backport the final 23.2.x at a later stage, the first backport is needed for enabling Intel Meteor Lake. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/directx-headers/+bug/2037604/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
