FWIW this also results in Evolution breaking on the Ubuntu MATE live image. There are multiple bug reports about this.
If enabling the profiles is too drastic, maybe it's possible to disable the AppArmor user namespace restrictions on the live ISO using `echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns` during live image boot, as described in the release notes (https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release- notes/39890#security-improvements). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2065088 Title: AppArmor profiles allowing userns not immediately active in 24.04 live image Status in apparmor package in Ubuntu: Confirmed Bug description: Side issue from <https://github.com/ValveSoftware/steam-for- linux/issues/10843>. I saw this with Steam, but Ubuntu 24.04's AppArmor setup for Steam is quite simple, so I suspect that the same thing might happen for any of the other third-party software that needs an AppArmor profile for <https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844>. Steps to reproduce: 1. Boot an Ubuntu 24.04 live image, in a virtual machine with lots of RAM (I gave it 8G) so that it will have enough space on the root tmpfs to install Steam. Using Debian 12's libvirt and qemu, I found that virtio graphics didn't work, and used qxl as a workaround. 2. When prompted, choose a keyboard layout etc., and choose to "Try Ubuntu" rather than "Install Ubuntu". 3. Open a terminal 4. sudo dpkg --add-architecture i386 5. sudo apt update 6. sudo apt install steam (in this case steam is a transitional package with a dependency on steam-installer, both at version 1:1.0.0.79~ds-2) 7. steam 8. See a prompt warning me that Steam is proprietary binary-only software. Choose Install. 9. See a light grey progress bar "Steam setup / Updating Steam runtime environment...". Wait. 10. See a dark grey progress bar "Steam / Updating Steam... Downloading update (xxx of 465,450 KB)...". Wait. 11. Dark grey progress bar becomes "Steam / Updating Steam... Extracting package...". Wait. 12. Output in terminal shows "Restarting Steam by request...". Wait. Expected result: - /etc/apparmor.d/steam allows Steam to create new user namespaces, etc. - Steam starts successfully Actual result: - A dialog box with "Error / Steam now requires user namespaces to be enabled" - Audit log: apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=... comm="srt-bwrap" requested="userns_create" denied="userns_create" target="unprivileged_userns" Workaround: - Force Ubuntu's AppArmor profile for Steam to be reloaded: sudo apparmor_parser -Tr /etc/apparmor.d/steam - Run steam again To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
