[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
This SRU should land soon. It is up to the release team to decide when it will be released. There are a couple reason this is baking longer (28 days) than the minimum 7 days. In -proposed is a previous iteration caused a regression and had to be reverted. The 24.04.1 release happened recently and that release was the primary focus of the release team leading up to its release. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064849] Re: Ubuntu 24.04 desktop icons ng image thumbnails no longer displayed
Ubuntu can not ship an unconfined bwrap profile, doing so allows a trivial by-pass of the unprivileged user namespace restrictions. An alternative profile for bwrap is provided by the apparmor-profiles package in /usr/share/apparmor/extra-profiles/bwrap-userns-restrict it is not enabled by default at this time due to a need to fix an interaction with flatpak. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064849 Title: Ubuntu 24.04 desktop icons ng image thumbnails no longer displayed To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-shell-extension-desktop-icons-ng/+bug/2064849/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2079983] Re: Thumbnails in desktop doesn't work due to apparmor restrictions
*** This bug is a duplicate of bug 2064849 *** https://bugs.launchpad.net/bugs/2064849 Ubuntu can not ship an unconfined bwrap profile, doing so allows a trivial by-pass of the unprivileged user namespace restrictions. An alternative profile for bwrap is provided by the apparmor-profiles package in /usr/share/apparmor/extra-profiles/bwrap-userns-restrict it is not enabled by default at this time due to a need to fix an interaction with flatpak. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2079983 Title: Thumbnails in desktop doesn't work due to apparmor restrictions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2079983/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1795649] Re: evince from snap doesn't save position in pdf document
@Mingun: in https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1969896 you reported this is still affecting Ubuntu 24.04.1 Can you provide log entries with the denials you are encountering? sudo dmesg | grep DENIED Also you reported $ LANG=C sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince apparmor_parser: Unable to remove "/usr/bin/evince". Profile doesn't exist can you provide what is returned by ls /etc/apparmor.d/usr.bin.evince and sudo aa-status | grep evince -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1795649 Title: evince from snap doesn't save position in pdf document To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/1795649/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched
*** This bug is a duplicate of bug 1795649 *** https://bugs.launchpad.net/bugs/1795649 @Mingun: I have replied in https://bugs.launchpad.net/evince/+bug/1795649 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1969896 Title: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1969896/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2079019] Re: Unable to enforce/disable profiles using aa-enforce/aa-disable
This is fixed in 4.0.2 and should be part of the next SRU ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2079019 Title: Unable to enforce/disable profiles using aa-enforce/aa-disable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2079019/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065088] Re: AppArmor profiles allowing userns not immediately active in 24.04 live image
Disabling the user namespace restriction is certainly one possible direction, and would be the easiest for Noble. The other possible route is using aa-notify, which now has the ability to produce a prompt for the user. An example gif can be seen at https://gitlab.com/-/project/4484878/uploads/ea5f41c3e1799fcf4d6c0c41af86553a/demo_aa_notify.webm it is currently only in Oracular, and there are some bug fixes coming to the current version, but the plan is to SRU the ability to Noble. For those who want to play with it, instructions are below. It is available for noble via the ppa at https://launchpad.net/~apparmor- dev/+archive/ubuntu/apparmor-backports. it can be install via sudo apt install apparmor-notify basic instructions are available via man aa-notify it will install a default configuration in "/etc/apparmor/notify.conf". The default configuration can be modified on a per user basis by copying it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally "$HOME/.config/apparmor/notify.conf" or to "$HOME/.apparmor/notify.conf". A custom configuration is not needed unless you want to use filtering to make it less noisy. Currently regular notifications will happen for all apparmor events, but they can be filtered using the config file. the notifier can be started via the shell with aa-notify -p -s1 --prompt-filter=userns or by adding it to startup applications There is a bug with the user namespace notification where it currently requires "--prompt-filter=userns" as part of the command arguments instead of being set in the config file. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065088 Title: AppArmor profiles allowing userns not immediately active in 24.04 live image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
An updated aa-notify that can prompt the user to create a profile is available in oracular, and for noble via https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports. The plan is to get more testing on it and then SRU to noble. it can be install via sudo apt install apparmor-notify basic instructions are available via man aa-notify it will install a default configuration in "/etc/apparmor/notify.conf". The default configuration can be modified on a per user basis by copying it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally "$HOME/.config/apparmor/notify.conf" or to "$HOME/.apparmor/notify.conf". A custom configuration is not needed unless you want to use filtering to make it less noisy. Currently regular notifications will happen for all apparmor events, but they can be filtered using the config file. the notifier can be started via the shell with aa-notify -p -s1 --prompt-filter=userns or by adding it to startup applications There is a bug with the user namespace notification where it currently requires "--prompt-filter=userns" as part of the command arguments instead of being set in the config file. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 2068602] Re: kernel oops in aafs_create in noble/oracular
Looking into it. This appears to be an issue with the parent missing when trying to create the child in aafs. ** Changed in: linux (Ubuntu Noble) Status: New => Confirmed ** Changed in: linux (Ubuntu) Status: New => Confirmed ** Changed in: ubuntu-realtime Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2068602 Title: kernel oops in aafs_create in noble/oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-realtime/+bug/2068602/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060767] Re: Foliate does not run in Ubuntu 24.04 due to apparmor issue
An updated aa-notify that can prompt the user to create a profile is available in oracular, and for noble via https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports. The plan is to get more testing on it and then SRU to noble. it can be install via sudo apt install apparmor-notify basic instructions are available via man aa-notify it will install a default configuration in "/etc/apparmor/notify.conf". The default configuration can be modified on a per user basis by copying it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally "$HOME/.config/apparmor/notify.conf" or to "$HOME/.apparmor/notify.conf". A custom configuration is not needed unless you want to use filtering to make it less noisy. Currently regular notifications will happen for all apparmor events, but they can be filtered using the config file. the notifier can be started via the shell with aa-notify -p -s1 --prompt-filter=userns or by adding it to startup applications There is a bug with the user namespace notification where it currently requires "--prompt-filter=userns" as part of the command arguments instead of being set in the config file. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060767 Title: Foliate does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060767/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063976] Re: Apparmor breaking nsjail in AOSP
An updated aa-notify that can prompt the user to create a profile is available in oracular, and for noble via https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports. The plan is to get more testing on it and then SRU to noble. it can be install via sudo apt install apparmor-notify basic instructions are available via man aa-notify it will install a default configuration in "/etc/apparmor/notify.conf". The default configuration can be modified on a per user basis by copying it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally "$HOME/.config/apparmor/notify.conf" or to "$HOME/.apparmor/notify.conf". A custom configuration is not needed unless you want to use filtering to make it less noisy. Currently regular notifications will happen for all apparmor events, but they can be filtered using the config file. the notifier can be started via the shell with aa-notify -p -s1 --prompt-filter=userns or by adding it to startup applications There is a bug with the user namespace notification where it currently requires "--prompt-filter=userns" as part of the command arguments instead of being set in the config file. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
An updated aa-notify that can prompt the user to create a profile is available in oracular, and for noble via https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports. The plan is to get more testing on it and then SRU to noble. it can be install via sudo apt install apparmor-notify basic instructions are available via man aa-notify it will install a default configuration in "/etc/apparmor/notify.conf". The default configuration can be modified on a per user basis by copying it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally "$HOME/.config/apparmor/notify.conf" or to "$HOME/.apparmor/notify.conf". A custom configuration is not needed unless you want to use filtering to make it less noisy. Currently regular notifications will happen for all apparmor events, but they can be filtered using the config file. the notifier can be started via the shell with aa-notify -p -s1 --prompt-filter=userns or by adding it to startup applications There is a bug with the user namespace notification where it currently requires "--prompt-filter=userns" as part of the command arguments instead of being set in the config file. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
An updated aa-notify that can prompt the user to create a profile is available in oracular, and for noble via https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports. The plan is to get more testing on it and then SRU to noble. it can be install via sudo apt install apparmor-notify basic instructions are available via man aa-notify it will install a default configuration in "/etc/apparmor/notify.conf". The default configuration can be modified on a per user basis by copying it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally "$HOME/.config/apparmor/notify.conf" or to "$HOME/.apparmor/notify.conf". A custom configuration is not needed unless you want to use filtering to make it less noisy. Currently regular notifications will happen for all apparmor events, but they can be filtered using the config file. the notifier can be started via the shell with aa-notify -p -s1 --prompt-filter=userns or by adding it to startup applications There is a bug with the user namespace notification where it currently requires "--prompt-filter=userns" as part of the command arguments instead of being set in the config file. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2077413] Re: apparmor unconfined profile blocks signal sending
peer=unconfined in most cases is not meant to be any. It is just that the policy could not distinguish between the different unconfined processes. Confined processes were still being blocked by the peer=unconfined rule. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2077413 Title: apparmor unconfined profile blocks signal sending To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2077413/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2074070] Re: unable to get WPA supplicant status via wpa-cli utility from a snap
So I have some questions about the snap run under the wpa_client case. Is this trace repeatable? This one is odd to me in a couple of ways like we are getting a timeout without every doing a select/poll/... so either it is somehow missing from the trace or its being done by interrupt. The trace starts to differ with the fstat(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 instead of pselect6(4, ... <- Why is this one missing recvfrom(3, ... <- missing can be explained by time out newfstatat(1, ... the missing pselect/poll.. of any kind is weird and needs to be investigated. The missing recvfrom can be explained by the timeout. the change from newfstatat to fstat in the snap might give a clue. I think we might be looking at a seccomp issue where newfstatat or at least something used to detect if newfstatat is present is being blocked. My guess is the code to select this is in glibc. This might also explain pselect6 missing. If glibc is setting some local vars that it is using to conditionally determine which syscall to use. It may just be straight up returning an error (eg timeout) without making a syscall of any kind. Again this is conjecture and needs to be investigated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2074070 Title: unable to get WPA supplicant status via wpa-cli utility from a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2074070/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
@richard-purdie-1: I can completely agree that its sad that security is stopping what amounts to better security. We are open to suggestions on how to improve the situation. Distro specific hacks are ugly, an additional burden and aren't a desirable solution. The end goal is to make it so the user can easily allow applications like bitbake to function. The plan is to SRU said functionality back into 24.04, it is just taking longer than was planned for. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
@ross: yes the plan is to enable unshare and bwrap with custom profiles. It is possible to test if this would work for your use case by copying these profiles to the system and loading them. Whether it will work really depends on whether unshare can do all the necessary privileged operations. The child that unshare will spawn will not be able to do anything that requires capabilities, as what is being denied above. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051574] Re: gnome-shell-portal-helper crashed with SIGTRAP in waitUntilSyncedOrDie() from WebKit::XDGDBusProxy::launch() ["bwrap: setting up uid map: Permission denied" ; "Failed to fully launch
@jamesh: for the profile please give it a short non-path based name, and option for local additions abi , include profile gnome-shell-portal-helper /usr/libexec/gnome-shell-portal-helper flags=(default_allow) { userns, # Site-specific additions and overrides. See local/README for details. include if exists } this way if locations change the name remains stable and readable. The attachment (path portion) can be updated, and even then have multiple locations other wise looks good. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051574 Title: gnome-shell-portal-helper crashed with SIGTRAP in waitUntilSyncedOrDie() from WebKit::XDGDBusProxy::launch() ["bwrap: setting up uid map: Permission denied" ; "Failed to fully launch dbus- proxy: Child process exited with code 1"] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2051574/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`
@Robie: define final. Right now this is for testing. Once testing is done and if everything looks good then we will revise the version. The plan was to go with an epoc version similar to 4.0.1really4.0.0-beta3-0ubuntu0.1 (suggestions welcome), and didn't want to use/burn those until we are sure this is the final version. We will kill off the epoc version with the 4.0.2 release (coming soon) asap. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072811 Title: Apparmor: New update broke flatpak with `apparmor="DENIED"` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`
steam (non-snap) works, interface is brought up and can launch a game known to trigger pressure vessel and bwrap. steam snap is broken. The interface is brought up, but the games I have tried can not launch. The failure however does not appear to be related to the revert.It is not bwrap related but profile permissions related to the permissions for the specific games. Specifically the bind mount of the old root to the new root. The SRU and the revert have no changes that should affect the mount mediation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072811 Title: Apparmor: New update broke flatpak with `apparmor="DENIED"` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`
I have run through QRT tests as well, same results as @georgia in #28 In addition I have tested a couple flatpaks, steam (snap, and non-snap) has NOT been tested yet, but I will have that one soon. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072811 Title: Apparmor: New update broke flatpak with `apparmor="DENIED"` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
The regression is caused by d/p/u/enable-bwrap-profile.patch the bwrap profile is interacting with flatpak, and snapd. The d/p/u/enable-bwrap-profile.patch will need to be dropped, when the 4.0.1 SRU is redone. The bwrap, flatpak and snapd will need updates to enable bwrap to be used by regular users. Since this change is now known to have potential breakage it should be isolated to its own SRU where it is the only change, allowing easier testing and easier revert knowing it is the only moving piece. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
@ross: atm, correct unshare does Not work as it does not have a profile enabled by default. However this will be partially fixed via SRU. The SRU for apparmor 4.0.1 includes an example profile for unshare*, that will allow unshare to create user namespaces and even have capabilities within the user namespace, but any child it execs whether in the user namespace or outside of it will not have those privileges. This will enable unshare to be used for some use cases but not all. Basically it will NOT work for the use case where the executed child needs privileges within the user namespace. This use case has to be privileged as other wise it allows the unprivileged user to by-pass the restriction. * Note: the 4.0.1 SRU does not enable the unshare profile by default, as there needs to be further testing that we are not regressing current unshare users like LXD. The plan is to enable with a targeted follow-on SRU that does only does 1 thing, enable the profile by default. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`
There 3 profiles involved here (probably should be 4), with a call dependency chain of flatpak -> bwrap -> bwrap_unpriv the flatpak profile does not show up in the logs but does end up launching bwrap. The comm is being set by flatpak, and can not be considered reliable for which executable is running for a given entry. The bwrap profile will be recorded for while bwrap code is running, and bwrap_unpriv AND bwrap stacked for the actual keepassxc application. There are 2 distinct class of failures here 1. Deleted files being re-validated. These have the info="Failed name lookup - deleted dentry". Basically fd delegation is not allowed to by- pass mediation. The files are no longer part of the namespace, and were never validated for access under the current confinement. 2. files that are in the namespace that the application doesn't have permissions to access. breaking this down by profiles bwrap: l /home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211 -> /**, # case 1. target is actually unknown at this point, but likely the same as the following l /home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini -> /home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211, #case 2 unpriv_bwrap: l /home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211 -> /**, # target again is unknown but like the same as the following l /home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini -> /home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211, # case 2 that bwrap and bwrap_unpriv are attempting to do the same thing, and each once with a deleted file then again with one that exists is extremely interesting. I need to dig into this a little more, to figure out exactly what is going on. The 2nd entry at first pass should be allowed by the profile, unless it is related to the same syscall that is causing the deleted entry denial, and is do to stacking denying the deleted dentry. If that is the case the question becomes how does the dentry stop being deleted during the single syscall. Like I said further investigation is needed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072811 Title: Apparmor: New update broke flatpak with `apparmor="DENIED"` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
@kanavin: Bitbake could indeed do that, it will depend on if it is considered worthwhile to carry said exception code. As I mentioned above both capabilities and SELinux are working towards limiting of unprivileged user namespaces, and the solutions needed to handle there restrictions will be different. For Ubuntu the current plan is to SRU the apparmor GUI interface to 24.04. While I would like it to land in time for the 24.04.1 at this point I think it is unlikely as the apparmor 4.0.1 SRU took over 6 weeks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
@kanavin: Thanks, we don't have an issue with bitbake, the issue comes down to running code out of a user writable location. 1. The location of bitbake will vary by user. Making any profile we could ship only functional for a subset of bitbak users. For the others it would require a privileged action to enable. 2. Enabling unprivileged user namespaces in a user writable location (an unprivileged action) allows an exploit to by-pass the restriction by writing that locations, as part of its setup. Doing this at a distro level advertises that location is available to all users, making it easy for exploits to be able to detect and adapt to this. When a user chooses to do it locally, it greatly reduces the risk compared to the distro level enablement. Unfortunately atm this forces the user to understand what is going on and manually enable a profile for the application. We are working on a GUI method that users will be able to use, making this task easier. Unfortunately this also comes with the risk of users just click yes/enable without understanding the risk, but there is no way around that problem. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
@milev-philip: containers are a difficult case. Unfortunately containers share the same kernel as the host. An application running in the container (docker image) can use unprivileged user namespaces to compromise not just the container but the host as well. There is the ability to turn the restriction off at the host. See the 24.04 release notes https://discourse.ubuntu.com/t/ubuntu-24-04-lts- noble-numbat-release-notes/39890#unprivileged-user-namespace- restrictions Container managers can also be modified to understand and disable the restriction for the container (lxd is doing this). But as noted above when this is done the container can be used to compromise the host, via a kernel exploit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056555] Re: Allow bitbake to create user namespace
It does seem that way. The problem is the design of unprivileged user namespaces, it gives unprivileged applications access to a lot of kernel surface that they usually don't have access to. This has been used to elevate kernel bugs from root exploitable to being exploitable by unprivileged users. So when used responsibly they can be used to reduce privileges, which we want to allow. But exploit code can leverage them to gain full kernel privileges. Unfortunately its impossible to distinguish between the two cases except to go through and identify the known good users. That leaves us in the situation where we can 1. just ignore the very real problem, that has been used by dozens of exploits 2. Disable unprivileged user namespaces completely 3. Try to selectively enable/disable unprivileged user namespaces. From a security pov allow listing (selective enablement) is the correct approach, because you can never deny list all combinations of exploits. This does unfortunately also mean that enabling unprivileged user namespaces for an application must be a privileged action, other wise an exploit only has to take an extra step to by-pass the restriction. Hence why we won't by default enable a profile for an application in a location that is run from a user writable location. A user doing said enablement local is at much lower risk than a distro doing so. Note that Ubuntu won't be the only ones restriting unprivileged user namespaces. The ability to control them is coming to capabilities and selinux as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072615] Re: Request to add a default profile for bitbake
*** This bug is a duplicate of bug 2056555 *** https://bugs.launchpad.net/bugs/2056555 Yes, its best to mark this as a duplicate. ** This bug has been marked a duplicate of bug 2056555 Allow bitbake to create user namespace -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072615 Title: Request to add a default profile for bitbake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Test Environment 1: kvm virtual machine, clean 24.04 install, updated, then proposed enabled. Test Environment 2: x86 laptop with nvidia graphics, upgraded to 24.04, updated, then proposed enabled. Test plan fully executed on both environments. Notes: kde, budgie, and kapps: only tested in environment 1 steam: only tested on environment 2. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
List of Applications tested for regression Tellico Supercollider steam rssguard qutebrowser qmapshack plasma-welcome plasma-desktop pageedit opam notepadqq marble loupe kontact konqueror kmail kgeotag kdeplasma-addons kchmviewer kalgebra goldendict-webengine ghostwriter foliate geary firefox snap falkon evolution epiphany-browser digikam devhelp cantor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
A profile for bwrap is in the 4.0.1 SRU -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
A profile for bwrap is in the 4.0.1 SRU -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
A profile for bwrap is in the 4.0.1 SRU ** Changed in: bubblewrap (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of June 27, 24.04. 0. Enabled proposed, updated, upgrade and installed apparmor packages via $ sudo apt install apparmor apparmor-profiles apparmor-utils libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor python3-libapparmor -t noble-proposed Full test plan executed for Ubuntu Desktop, Kubuntu Desktop, Budgie Desktop, [ Test Plan ] Test QA Regression Testing The final test output was: -- Ran 62 tests in 903.834s OK (skipped=3) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 Version table: *** 4.0.1-0ubuntu0.24.04.2 100 100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages 100 /var/lib/dpkg/status 4.0.0-beta3-0ubuntu3 500 500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages Run additional tests: 1. test wike$ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 Version table: *** 4.0.1-0ubuntu0.24.04.2 100 100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages 100 /var/lib/dpkg/status 4.0.0-beta3-0ubuntu3 500 500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages run from terminal, works with no apparmor rejections run from gnome activities, works no apparmor rejections 2. test foliate run from terminal, works with no apparmor rejections run from gnome activities, works with no apparmor rejections 3. test transmission run from terminal, works with no apparmor rejections run from gnome activites, works with no apparmor rejections 4. test bwrap 4.1 setzer run from terminal, works with no apparmor rejections run from gnome activites, works with no apparmor rejections 4.2 flatpak gnome.recepieces works as expected In addition to the test plan using the gnome desktop, the Kubuntu, and Budgie desktop were brought up and tested. To ensure no regressions, around widgets (), applications or previously reported bugs. See https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 for tracked list of applications. See next comment for results from testing each application. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064781] Re: setzer does not launch
*** This bug is a duplicate of bug 2046844 *** https://bugs.launchpad.net/bugs/2046844 I will add that while you can manually add the profile as a work around, the full update that is being SRUed is available in https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru any testing that can be performed against that is much appreciated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064781 Title: setzer does not launch To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2069526] Re: bubbewrap cannot create namespace - Failed RTM_NEWADDR: Operation not permitted
Can you please try with the apparmor in https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru Basically from a terminal you need to do sudo add-apt-repository ppa:apparmor-dev/apparmor-sru sudo apt update and then retry Web Apps 4.0.1 is in the SRU process, currently waiting to be promoted to 24.04 -proposed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2069526 Title: bubbewrap cannot create namespace - Failed RTM_NEWADDR: Operation not permitted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2069526/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
> Am I correct in understanding, the Thunderbird snap does not allow profiles to set paths to locations outside the snap confinement? And if so, is that something specific to running a live system or is it something any Lubuntu 24.04 installation is now stymied by? it is a property of the snap, regardless of whether it is on a live system, ubuntu, Lubuntu, kubuntu, ... There is work on going to address this but it is not currently available -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
Sigh, that should be Unfortunately snap doesn't currently have ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
> I'm sorry, would you mind elaborating? profiles.ini allows configuration of where each profile stores emails, so what are the consequences of my doing that? I used it, and the same PATH variable, prior to 24.04 without problem. that will direct thunderbird to access your emails stored at the location /media/lubuntu/drive/hq/email/thunderbird/certainprofilegoeshere which explains why your dmesg contains denials like [39889.472715] audit: type=1400 audit(1714429239.953:352): apparmor="DENIED" operation="open" class="file" profile="snap.thunderbird.thunderbird" name="/media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock" pid=72158 comm="thunderbird-bin" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 which was my comment about being at a loss as to why thunderbird is trying to access ``` /media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock /media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock ``` The consequences of doing that are that the snap confinement for thunderbird doesn't give it access to that location. The thunderbird deb is installing the thunderbird snap, you can read more about it at the following link https://www.omgubuntu.co.uk/2024/02/thunderbird-snap-in-ubuntu-24-04 For the chrome snap I would have to see the dmesg output to be sure but it could be a similar issue. So how to address this. Unfortunately doesn't currently have a mechanism to allow the user to override its confinement. You can manually update the generated apparmor profile but snap will regenerate it and throw your custom rules away the next time it refreshes the application. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
It shouldn't but we do need to make sure it works. Previously flatpak was getting around the bwrap restriction by using the flatpak unconfined profile. But the unconfined profile uses pix which means it will now use the bwrap profile, when calling bwrap. If this does cause breakage we will need to move flatpak to using just ix when calling bwrap. @smcv: do you have a specific app in mind to test. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056517] Re: VS Code profile still broken.
** Changed in: apparmor (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056517 Title: VS Code profile still broken. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060767] Re: Foliate does not run in Ubuntu 24.04 due to apparmor issue
** Changed in: apparmor (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060767 Title: Foliate does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060767/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
** Changed in: apparmor (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060810 Title: Wike does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
the Path=/media/lubuntu/drive/hq/email/thunderbird/certainprofilegoeshere explains it -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067900] Re: apparmor unconfined profile blocks pivot_root
This requires a v4.0 apparmor parser and Ubuntu not upstream kernel. The ubuntu kernel carries a patch that is work toward splitting unconfined and making so it can replaced and only cause mediation overhead for the classes being mediated. The 4.0 parser is setting mediated classes in unconfined profiles when it shouldn't, causing pivot root to fail. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Changed in: apparmor Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
@smoelius: If you are interested in learning more of the processes, you can read about it at https://wiki.ubuntu.com/StableReleaseUpdates To summarize the upload is at step 4 of the procedures. It has been uploaded but has not been promoted to the -proposed pocket. Once it has been accepted it will be in the -proposed pocket for a minimum of 7 days, the absolute earliest this SRU could land in updates is mid next week, but it will likely take a little longer. It is available earlier either through the ppa (https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru), or the -proposed pocket (user opt in by enabling proposed) once promoted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065708] Re: Add Picture button in Background does not allow you to select wallpaper
Uhmmm sorry Oracular not Oneiric, seems I am a full 13 years out of sync -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065708 Title: Add Picture button in Background does not allow you to select wallpaper To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/budgie-control-center/+bug/2065708/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065708] Re: Add Picture button in Background does not allow you to select wallpaper
I can report the bwrap-userns-restrict profile in Oneric makes this work for me. This fix migrated out of proposed this week, so it has only been available for a few days. We will work on getting it SRUed to noble. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065708 Title: Add Picture button in Background does not allow you to select wallpaper To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/budgie-control-center/+bug/2065708/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065708] Re: Add Picture button in Background does not allow you to select wallpaper
@samlan00: you should be able to revert your fix on Oneiric. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065708 Title: Add Picture button in Background does not allow you to select wallpaper To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/budgie-control-center/+bug/2065708/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065708] Re: Add Picture button in Background does not allow you to select wallpaper
Agreed that, we don't want to remove sandboxing on the thumbnailer. We are looking at what we can do for a fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065708 Title: Add Picture button in Background does not allow you to select wallpaper To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/budgie-control-center/+bug/2065708/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@mhalano: can you check your logs for apparmor denial messages? sudo dmesg | grep DENIED or journalctl -g apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064144] Re: lxc ships apparmor config that confuses aa-logprof
I opened a Ubuntu Noble specific task. We can close it after verifying the current apparmor in noble fixes the issue. ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Noble) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064144 Title: lxc ships apparmor config that confuses aa-logprof To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2064144/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Yes for the appimages that are affected they should be reported upstream. There are some things that upstream can do to make appimages work under the restriction, ideally they would do it dynamically based on whether the user namespace is available than just based on distro which is the quick fix some have done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Maxime Bélair (mbelair) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
The AppArmor profile covers the packaged version and the standard privileged install location. You are correct that it does not cover running firefox from an unprivileged user writable location like $HOME. For unprivileged user writable locations like $HOME/bin/ the user has to deliberately make a privileged action like installing a profile for the location of the application. This applies to the appimage version run out of the users $HOME as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@jorge-lavila: technically possible yes. I want to be careful with what I promise here, as the user experience is not my area. With that said we are currently looking at using aa-notify as a bridge to improve the user experience. We would install it with a filter to only fire a notification for the user namespace denial/transition. That notification will show in your desktops notification area with a button/click action that will launch a user prompt. There will have to be an SRU to add some of the new functionality, but we can make it available before the SRU via a ppa for those who want to test. I will make sure to update this bug when we have this ready for testing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@zgraft: I have added a tor item, a profile will land in an update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@jorge-lavila, Its not a theoretical case, they have been used by multiple exploits every year (including this one) since landing in the kernel. Ubuntu is not the only ones looking at restricting them. SELinux has also picked up the ability but they haven't really rolled it out in policy, there are also discussions in other security forms (eg. the OSS security list) about how to disable them better than the giant sysctl that turns them off for everything. The apparmor solution allows doing it on a per application basis. Yes it deliberately requires a privileged operation, otherwise the restriction could be trivially by-passed by exploit code. We know the experience is not user friendly atm, and are working on improving it. Improving both the flexibility on what is mediated on how the user can by-pass/disable the restriction. On the GUI side the end goal is something similar to what you get on MacOS where the user gets notified, and has to go to the security center to enable running an untrusted application. There is in fact a profile coming for bwrap, and unshare, but not the unconfined profile that is being generically used to disable the restriction. The profile will restrict certain modes of operation, and prevent applications launch by it from having privilege within the user namespace. It will open the ubuntu shipped versions up for regular users again for many of its use cases. Unfortunately untrusted code, which is the case of code downloaded into the home dir, will require a privileged operation to be able to use user namespaces. That could be the use of sudo when using the application, or creating a profile for the application, which then allows the user to subsequently use the application without a privileged operation. ** Also affects: tor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065088] Re: AppArmor profiles allowing userns not immediately active in 24.04 live image
Your understanding is mostly correct. There are as best I can tell, 2 exceptions with how things are setup atm 1. If the environment is setup to use early policy load, the init script bailout won't stop that policy from being loaded. But it prevents it from being live updated via systemctl reload apparmor 2. Policy managed external to the apparmor init script is not affected. This basically means policy loaded/managed by - virt-manager - lxd - snapd - policy loaded manually by directly calling apparmor_parser I still need to dig into this more so we can get this fixed. With 24.04 enabling the user namespace restriction by default not having policy loaded can break things so we need to look at the short term immediate fix for 24.04, and then making sure this is fixed proper for 24.10. The 24.04 fix could be any of 3 different paths 1. just don't enable the user namespace restriction, to avoid the breakage it will cause without policy 2. just load the subset of policy allowing user namespaces. This would address the user namespace restriction breakage while trying to reduce surprises caused by confinement being enabled post release. 3. load all policy. With the fix coming post release, I doubt we will go for solution 3, but I at least want to run an initial evaluation of doing it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065088 Title: AppArmor profiles allowing userns not immediately active in 24.04 live image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065088] Re: AppArmor profiles allowing userns not immediately active in 24.04 live image
sadly yes, the init script has a bail out that stops loading policy on the live cd. We are going to have to investigate this. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065088 Title: AppArmor profiles allowing userns not immediately active in 24.04 live image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065088] Re: AppArmor profiles allowing userns not immediately active in 24.04 live image
s/live cd/live image/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065088 Title: AppArmor profiles allowing userns not immediately active in 24.04 live image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046624] Re: apparmor breaks surfshark vpn
*** This bug is a duplicate of bug 2046844 *** https://bugs.launchpad.net/bugs/2046844 @1fallen: it looks like there is something more going on here, can you check your kernel log / dmesg for apparmor DENIED messages. eg. ``` sudo dmesg | grep DENIED ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046624 Title: apparmor breaks surfshark vpn To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046624/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046624] Re: apparmor breaks surfshark vpn
*** This bug is a duplicate of bug 2046844 *** https://bugs.launchpad.net/bugs/2046844 As for upgrade vs. clean install. The unprivileged userns restriction is enabled via a sysctl and upgrading will not enable it by default. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046624 Title: apparmor breaks surfshark vpn To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046624/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064096] Re: Services fail to start in noble deployed with TPM+FDE
Unfortunately there isn't a way to do this via abstractions or configs. It would be possible to add a patch to the userspace and SRU it. This would be the quickest solution while we work on the necessary kernel changes to make the use of attach_disconnected unnecessary. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064096 Title: Services fail to start in noble deployed with TPM+FDE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064096/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064096] Re: Services fail to start in noble deployed with TPM+FDE
Does the profile have the attach_disconnected flag set? Does the profile have the attach_disconnected flag set while in complain mode? It looks to me that we are looking at open file descriptors that exist out of the current namespace. This will result in a partial unattached path that will not be allowed in complain mode. The denied path will not start with /. If the attach_disconnected flag is add, that will attach the disconnected path to the root of the current mount namespace. Which is what I believe is happening with /systemd/... vs /run/systemd/..". Unless unconfined is involved, both the ends of a socket are required to exist in the namespace for v7/v8 unix socket mediation (what is in noble). Unconfined is special in that it can delegate access to an open fd which is not generically allowed atm. If all the above is correct then you can use the attach_disconnected.path flag to attach the accesses to disconnected fds. The full flags parameter to apparmor would then look like profile example flags=(attach_disonnected attach_disconnected.path=/run/) { ...) and for complain mode profile example flags=(complain attach_disonnected attach_disconnected.path=/run/) { ...) This of course is a less than satisfactory work around. There is work to address the above better but none of it is in noble. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064096 Title: Services fail to start in noble deployed with TPM+FDE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064096/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
So while I don't think we are where snapd can get rid of the snap- confine.internal snippets, with it now vendoring a more recent apparmor, a lot of these can drop away. It doesn't need to detect capabilities anymore. It can just specify deny capability perfmon, and it will work, for all kernels. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
@neigin: yes the capability to resolve this exists. So now it is a matter of getting it functioning in snapd for these cases. This will get resolved I just can't say when it will land. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
@u-dal: thankyou, though I have to say I am at a loss as to why the snap version of thunderbird is trying to access ``` /media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock /media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock ``` what kind of configuration have you done? I see you are copying data from /media/lubuntu/drive/startup/ into the snap, is something in one of these a symlink into /media/lubuntu/drive/hq/email/thunderbird? As for why this used to work and doesn't now is thunderbird unless you opted into it (enabled the profile) was not confined. The snap thunderbird is confined and defines down to the file what thunderbird has access to. Snaps however are not under normal apparmor control, and make it some what hard for the user to extend what is allowed. There are a few things that can be done to work around the issue but I am still trying to understand why thunderbird is trying to access that location. things we can do to work around this issue immediately, so you can have access to your mail 1. enable snapd prompting in the new security center (its a flutter based application, I am not sure if lubuntu is shipping it by default). If this is a location that falls under what is allowed to prompt (I am not sure it is), snapd we prompt you about allowing the access, store your response and it will be allowed in the future. 2. reinstall thunderbird snap in dev mode 3. manually update the snap profile. There will have to be script that recopies, and reloads, as snap can and will regenerate and reload when it refreshes. 4. uninstall the thunderbird snap and install thunderbird as a deb via the mozilla ppa. You can opt into an apparmor profile if you want, in this case you get full control over the profile. 5. disable apparmor in grub. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
So my supposition on the overlay looks to be incorrect. Would you being willing to attach your full mount information? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
For the thunderbird issue I have created https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
@u-dal: can you attach the overlay mount information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] [NEW] thunderbird snap on live systems "already running" but not responsive
Public bug reported: Moving this here from https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 snap policy on an overlay system is preventing thunderbird from running. This is related to the snapcraft form report https://forum.snapcraft.io/t/unexplained-thunderbird-already-running- but-is-not-responding-message/39990 ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Attachment added: "aa-status and systemctl output" https://bugs.launchpad.net/bugs/2064363/+attachment/5773407/+files/comment-101.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
** Attachment added: "dmesg denial output" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773409/+files/comment-106.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive
** Attachment added: "dmesg denial output" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773408/+files/comment-106.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064363 Title: thunderbird snap on live systems "already running" but not responsive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: the problem with firefox (it has a snap profile and is allowed access to user namespaces) is different than with chrome (no profile loaded), but still might be apparmor related. Can you look in dmesg for apparmor denials ``` sudo dmesg | grep DENIED ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: are you running in a live cd environment? Something odd is happening on your system, with some profiles loaded and systemctl reporting ConditionPathExists=!/rofs/etc/apparmor.d -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@u-dal: This sounds like the apparmor policy is not being loaded can you please provide the output of ``` sudo aa-status ``` and ``` sudo systemctl status apparmor ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063976] Re: Apparmor breaking nsjail in AOSP
> To clarify, this is not something that can be solved upstream in apparmor, and a profile can't be accepted due to the nature of the path location? correct, if it is a unprivileged user writable location it can't be fixed entirely upstream. It is possible for us to ship a profile that is disabled in some way but that takes a privileged user action to enable. Eg. we could ship a profile using the xattrs attachment from above, then the user would be responsible for setting the xattr with setfattr. packaging nsjail is an option for Ubuntu but like you said it wouldn't directly address previous versions and AOSP probably wouldn't like it. With that said this isn't going to be an Ubuntu only restriction, the security community in general is looking at different ways of restricting unprivileged user namespaces. SElinux has picked up some ability to mediate them, but isn't really applying it in policy yet. The OSS email list (oss-secur...@lists.openwall.com) has been discussing other options as well. The number of exploit chains associated with them has forced us to start locking them down. The AppArmor solution will be available to other distros as well, it already available upstream in the kernel and apparmor 4.0. AppArmor side there is work on aa-notify that we are looking at SRUing. That will help desktop users if they have it installed. Where they can get a notification that will take them to a simple gui that will allow them to click enable (with a password) instead of having to know the details underneath. It won't be integrated into the security center or pretty. But a little better than the current situation for the user. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063976] Re: Apparmor breaking nsjail in AOSP
running privileged applications out of home is dirty. But it is the situation we are in with user namespaces and app images as well. Ubuntu will not ship a profile for a privileged executable in the users home or a writable location of an unprivileged user. As this can be leveraged to by-pass the restriction, or it requires us to expand user mediation in such a way that user writable locations with profiles defined become privileged. Atm we are not adding addition restriction to the user. This allows the user to define a profile that allows by-passing the restriction. A user opting to create a profile in a user writable location is less dangerous as the location becomes non-standard so it becomes harder to exploit. It also requires the user to take a deliberate privileged action to add the profile. Generally for the nsjail profile an attachment like @{HOME}/android-*/prebuilts/build-tools/linux-x86/bin/nsjail is slightly better, but still not great. Atm it is very close to the same, but there are improvements coming that will tighten @{HOME} to a user specific kernel variable which will be better than /**. The other way to handle this would be setting the security xattr and using that as part of the attachment. ``` sudo setfattr -n security.apparmor -v nsjail ``` and define the profile as something like (you can make the path more specific if you want). ``` profile nsjail /**/nsjail xattrs=(security.apparmor="nsjail") flags=(unconfined) { ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063976] Re: Apparmor breaking nsjail in AOSP
Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the behavior of unprivileged user namespace mediation. With the unprivileged_userns profile loaded, when a user namespace is created by an unprivileged unconfined application the task will be transitioned into the unprivileged_userns profile. The unprivileged_userns profile will then deny privileged operations capability, mount etc. Without the unprivileged_userns profile loaded, the creation of the user namespace will be denied. Through experimentation we have learned that many applications behave better (handle the errors better, eg. qtwebkit will handle the error and fallback to using a sandbox without usernamespaces while without the profile it crashes) with the unprivileged_userns loaded. So that has become the default behavior. You can experiment with changing the behavior by manually unloading the unprivileged_userns profile using sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns nsjail will likely require a profile to work, please see https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues, 1.19.16 installs fine and runs, but in a degraded sandbox mode. So adding a profile for it would be beneficial The appimage version of Belena Etcher unfortunately fails to run. We can not provide a default profile for the appimage unless it the user moves it to the default deb install location (ie. installs it to the system, instead of running it from their home dir). Users are free to add their own confinement profiles for appimages. Directions are in https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
The Wike fix is coming in the next SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056627] Re: PHPStorm crashes when opening a project
Its not just that app images don't have a default path, we can handle that as well. It is that user namespaces have become a privileged operation, and the user must take some privileged action to allow applications to use them. That can be any of - moving the application into a well known privileged location that has a profile already associated with it. - creating a profile for the application where it is installed in their unprivileged location. This is currently allowed but problematic in that unprivileged code code potentially write to it and we are not currently restricting unprivileged applications from writing these locations. But that will come - tagging the application with the correct security label. The important part is the user must take a privileged action to allow applications that are using user namespaces to gain privilege. Note, applications that use user namespaces that don't require privilege are allowed, its only applications that require privilege within the user namespace. Unfortunately appimages that use use namespaces need the user to take one of the above privileged actions. And unfortunately Ubuntu can not "fix" this without disabling the protection. There are plans to improve the user experience and make this easier for users to do, but atm it is a manual process. The instructions provided by Seth will enable you to get the appimage running. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056627 Title: PHPStorm crashes when opening a project To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063513] Re: torbrowser unusable - not accepting keyboard input
Unless there are other denials, this is not related to bug #2046844 Try adding the following rule to the torbrowser_firefox profile allow rw /run/dbus/system_bus_socket, and then reloading it with either sudo systemctl reload apparmor or by using sudo apparmor_parser -r /path/to/torbrowser_firefox_profile where /path/to/torbrowser_firefox_profile which is likely in /etc/apparmor.d/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063513 Title: torbrowser unusable - not accepting keyboard input To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/2063513/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2039294] Re: apparmor docker
To make this generic so that it will work on older and newer hosts we should probably change the peer expression to signal (receive) peer={runc,unconfined}, or possibly, define an @{runc} variable in the preamble and use that. This really only is advantageous, in that it shows semantic intent, if if using the value of unconfined, or if @[runc} is used multiple times within the profile. @{runc}={peer,unconfined} signal (receive) peer=@{runc}, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2057943] Re: Can't disable or modify snap package apparmor rules
I will note that current snap behavior is by design. Not saying that they couldn't make this easier but the snap side is functioning the way it was desiged. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2057943 Title: Can't disable or modify snap package apparmor rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062441] Re: Apparmor breaks Joplin Desktop
unfortunately Joplin is only shipped as an appimage for Linux. Which means we can not ship a profile for it by default that will allow it to use capabilities within the unprivileged user namespace that the electron embedded browser is attempting to use. This means that the user is required to intervene to enable an electron based appimage so that it can be run. Unfortunately for 24.04 this means some manual command line based intervention, instead of using a GUI like on MacOS when a user needs to enable an application downloaded from the internet. This change is deliberate to increase the security of Ubuntu systems, and while we will work on improving the user experience the requirement to have the user approve applications that are using privileged kernel interfaces there is no plan to revert this change. You can read more about this in the release notes https://discourse.ubuntu.com/t/noble- numbat-release-notes/39890 If you look in the kernel logs, (or dmesg) you will find an message an apparmor message similar to below showing what is causing your issue. ``` $ sudo dmesg | grep "apparmor=\"AUDIT" [ 85.468352] audit: type=1400 audit(1713509122.843:224): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=3058 comm="@joplinapp-desk" requested="userns_create" target="unprivileged_userns" ``` and ``` $ sudo dmesg | grep DENIED [ 85.469966] audit: type=1400 audit(1713509122.847:225): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=3065 comm="@joplinapp-desk" capability=21 capname="sys_admin" ``` Unfortunately unprivileged user namespaces are using privileged kernel interfaces (above protected by capabiity sys_admin) that have now been restricted to known applications because they have been used in a lot of exploit chains. you can add a profile for the application by copying the profile from below into /etc/apparmor.d/ and then updating by replacing ```/home/jj/Downloads/Joplin-2.14.20.AppImage``` with the location you are running your joplin appimage from. ``` # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi , include profile joplin /home/jj/Downloads/Joplin-2.14.20.AppImage flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists } ``` Once that is done you can do ``` $ sudo apparmor_parser -r /etc/apparmor.d/joplin ``` that will allow you to run joplin without having to reboot. Having the jplin profile in /etc/apparmor.d/ will ensure it is reloaded if you reboot. ** Changed in: apparmor (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062441 Title: Apparmor breaks Joplin Desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2062441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3
the kernel team is already rolling kernels with the fix for 2061851 but it is also building in https://launchpad.net/~apparmor- dev/+archive/ubuntu/apparmor-devel ppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061869 Title: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3
This is likely a dup of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061869 Title: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
More applications will be getting confinement, on an individual level I don't think it will be everything from debs. In this case its because it uses unprivileged user namespaces. Which is now being restricted and treated as a semi-privileged because it gives access to several privileged kernel interfaces. Those privilege kernel interfaces should be in theory safe, but the reality is that they aren't. Unprivileged user namespaces are the first step in almost every kernel exploit chain for the last 7 or so years. In pwn2own last year 4 of the 5 exploits used unprivileged user namespaces. This year all 4 did, however if you turn the restriction on (present in 23.10 but not enabled by default) everyone one of the exploits are blocked. The current step is far from perfect, but we are working on improving it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060810 Title: Wike does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue
There are vague plans, yes. The time line of it has not been scoped, but it would be something akin to what happens on macos when you try to run a downloaded application for the first time and you have to go into their security config to allow it. The application will still be "confined" but it may not get its own individual profile and share one with others the user has downloaded. The unconfined profile's will also get developed into full profiles. The plan is that unconfined profiles won't be a standard thing but an exception. Another thing going to happen in the next upload is bwrap gets its own profile. Applications using bwrap might work through the bwrap profile. There will still be cases where they will need their own profile, but the bwrap profile will cover several cases that don't work today. Applications that have already received an unconfined profile will continue to work that way. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060810 Title: Wike does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060767] Re: Foliate does not run in Ubuntu 24.04 due to apparmor issue
The fix has been merged upstream in https://gitlab.com/apparmor/apparmor/-/merge_requests/1209 it will be in the next release. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060767 Title: Foliate does not run in Ubuntu 24.04 due to apparmor issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060767/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@arraybolt3: Answer to your question. bwrap requires capabilities within the user namespace. unshare is a little more forgiving in that what it requires depends on the options passed but most of the options also require capabilities within the user namespace. The potential solution I mention is comment #91 is to define a profile for bwrap that allows it capabilities within the namespace but does not allow its children capabilities within the namespace, so that bwrap and unshare can not just launch an application to by-pass the restriction. This seems to work well for unshare but there are cases where bwrap is failing in unexpected ways (which is still being debugged). At this late stage the plan is to try to get a fix for bwrap in but if necessary to file an SRU if necessary for the bwrap fix. So yes this is being worked on and even if the fix isn't present on day one we do plan to get it fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined profile, as that allows for an arbitrary by-pass of the restriction. There is a potential solution in the works that will allow for bwrap and unshare to function as long as the child task does not require permissions but at this point there are still some issues with it that are being debugged. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
It is in the SRU queue and the current ETA is April 15 to land in the proposed pocket (archive proposed not security proposed ppa), there is a caveat that the recent xz backdoor has caused some "fun" on the archive side and could potentially cause some delays. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060100] Re: denials from sshd in noble
Fixed by MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1196 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060100 Title: denials from sshd in noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060100] [NEW] denials from sshd in noble
Public bug reported: 2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system" 2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined" ** Affects: apparmor (Ubuntu) Importance: Undecided Status: Confirmed ** Affects: apparmor (Ubuntu Noble) Importance: Undecided Status: Confirmed ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Also affects: apparmor (Ubuntu Noble) Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060100 Title: denials from sshd in noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
We have an update of the firefox profile coming that supports the /opt/firefox/firefox location used as the default install for the firefox downloaded directly from mozilla.org If you are running firefox out of your home directory, that will not be directly supported and you will need to chose to do one of the following to fix the issue. 1. The recommended way is updating the firefox profile in /etc/apparmor.d/firefox by adding the location you have firefox installed, and then reloading the profile with sudo apparmor_parser -r /etc/apparmor.d/firefox. 2. You can disable user namespaces, this will keep firefox from trying to use them as part of ts sandbox https://lwn.net/Articles/673597/ 3. the least recommended way to fix this is you can disable the finer grained user namespace restrictions as outlined in https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user- namespaces ** Changed in: qmapshack (Ubuntu) Status: Confirmed => Fix Released ** Changed in: qutebrowser (Ubuntu) Status: Confirmed => Fix Released ** Changed in: rssguard (Ubuntu) Status: Confirmed => Fix Released ** Changed in: supercollider (Ubuntu) Status: Confirmed => Fix Released ** Changed in: geary (Ubuntu) Status: Confirmed => Fix Released ** Changed in: goldendict-webengine (Ubuntu) Status: Confirmed => Fix Released ** Changed in: kchmviewer (Ubuntu) Status: Confirmed => Fix Released ** Changed in: loupe (Ubuntu) Status: Confirmed => Fix Released ** Changed in: notepadqq (Ubuntu) Status: Confirmed => Fix Released ** Changed in: pageedit (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs