More applications will be getting confinement, on an individual level I
don't think it will be everything from debs. In this case its because it
uses unprivileged user namespaces. Which is now being restricted and
treated as a semi-privileged because it gives access to several
privileged kernel interfaces. Those privilege kernel interfaces should
be in theory safe, but the reality is that they aren't. Unprivileged
user namespaces are the first step in almost every kernel exploit chain
for the last 7 or so years.

In pwn2own last year 4 of the 5 exploits used unprivileged user
namespaces. This year all 4 did, however if you turn the restriction on
(present in 23.10 but not enabled by default) everyone one of the
exploits are blocked. The current step is far from perfect, but we are
working on improving it.

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.

  Wike does not run in Ubuntu 24.04 due to apparmor issue

Status in apparmor package in Ubuntu:

Bug description:
  Wike (deb package/compiled version) does not run in Ubuntu 24.04
  possibly due to some interference between apparmor and webkit.

  $ wike

  (process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in 
  bwrap: setting up uid map: Permission denied

  ** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy: 
Child process exited with code 1
  Trace/breakpoint trap

  A workaround is to create the file `/etc/apparmor.d/wike` with the following 
  # This profile allows everything and only exists to give the
  # application a name instead of having the label "unconfined"

  abi <abi/4.0>,
  include <tunables/global>

  profile wike /usr/bin/wike flags=(unconfined) {

    # Site-specific additions and overrides. See local/README for details.
    include if exists <local/wike>
  Then run `sudo systemctl restart apparmor.service`

  This is also reported in GitHub for Wike

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to