Public bug reported:
The symptom is that I am no longer unable to start transmission-gtk in a
separate network namespace. This worked in the past. I have been
impacted by this bug since upgrading from Ubuntu 22.04 to 24.04.
Some context: Why would someone run a torrent client in a network
namespace? It is very convenient for example if one wants to run torrent
traffic through a VPN tunnel while keeping rest of the system connected
normally (without VPN).
Relevant package versions:
- transmission-gtk: 4.0.5-1build5
- apparmor: 4.0.1really4.0.1-0ubuntu0.24.04.3
How to reproduce:
1. Create a network namespace for running transmission-gtk (for the
purposes of this demonstration it does not matter that the new namespace
we create does not have any internet connectivity):
$ sudo ip netns add foo
$ sudo -E ip netns exec foo sudo -E -u $USER bash
2. Now try starting transmission-gtk in that namespace and observe
failure:
$ transmission-gtk &
[1] 2013757
(transmission-gtk:2013757): Gtk-WARNING **: 21:13:37.265: Failed to open display
[1]+ Exit 1 transmission-gtk
3. Check why it fails with strace (observe it gets "permission denied"
when trying to connect to wayland socket):
$ strace transmission-gtk
execve("/usr/bin/transmission-gtk", ["transmission-gtk"], 0x7fff327128d0 /* 67
vars */) = 0
[..]
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5
connect(5, {sa_family=AF_UNIX, sun_path="/run/user/1000/wayland-0"}, 27) = -1
EACCES (Permission denied)
[..]
exit_group(1) = ?
+++ exited with 1 +++
4. Also observe messages such as the following appear in
/var/log/syslog:
2024-10-22T19:32:27.557750+03:00 XXX kernel: audit: type=1400
audit(1729614747.556:11615): apparmor="ALLOWED" operation="connect"
class="file" info="Failed name lookup - disconnected path" error=-13
profile="transmission-gtk" name="run/user/1000/wayland-0" pid=1978576
comm="transmission-gt" requested_mask="wr" denied_mask="wr" fsuid=1000
ouid=1000
5. Implement workaround (add "attach_disconnected" to apparmor profile
flags):
$ sudo sed -i 's/transmission-gtk flags=(complain)/transmission-gtk
flags=(complain,attach_disconnected)/' /etc/apparmor.d/transmission
$ sudo apparmor_parser -r /etc/apparmor.d/transmission
6. Observe now it starts successfully in the same network namespace:
$ transmission-gtk &
$
I do not know what is the correct way to fix this properly. I am not familiar
enough with apparmor. According to apparmor.d(5) manual page that
"attach_disconnected" flag should not be used except for debugging and policy
development.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3
ProcVersionSignature: Ubuntu 6.8.0-45.45-generic 6.8.12
Uname: Linux 6.8.0-45-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: GNOME
Date: Tue Oct 22 21:06:02 2024
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-45-generic
root=/dev/mapper/vgubuntu-root ro quiet splash i8042.noaux vt.handoff=7
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: apparmor
UpgradeStatus: Upgraded to noble on 2024-08-30 (53 days ago)
modified.conffile..etc.apparmor.d.transmission: [modified]
modified.conffile..etc.init.d.apport: [modified]
mtime.conffile..etc.apparmor.d.transmission: 2024-10-22T20:45:07.247425
mtime.conffile..etc.init.d.apport: 2024-07-22T17:59:07
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug noble wayland-session
** Attachment removed: "KernLog.txt"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2085377/+attachment/5830889/+files/KernLog.txt
** Attachment removed: "Syslog.txt"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2085377/+attachment/5830893/+files/Syslog.txt
** Attachment removed: "PstreeP.txt"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2085377/+attachment/5830892/+files/PstreeP.txt
** Attachment removed: "ProcEnviron.txt"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2085377/+attachment/5830891/+files/ProcEnviron.txt
** Attachment removed: "ProcCpuinfoMinimal.txt"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2085377/+attachment/5830890/+files/ProcCpuinfoMinimal.txt
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2085377
Title:
transmission-gtk fails to start in separate network namespace
Status in apparmor package in Ubuntu:
New
Bug description:
The symptom is that I am no longer unable to start transmission-gtk in
a separate network namespace. This worked in the past. I have been
impacted by this bug since upgrading from Ubuntu 22.04 to 24.04.
Some context: Why would someone run a torrent client in a network
namespace? It is very convenient for example if one wants to run
torrent traffic through a VPN tunnel while keeping rest of the system
connected normally (without VPN).
Relevant package versions:
- transmission-gtk: 4.0.5-1build5
- apparmor: 4.0.1really4.0.1-0ubuntu0.24.04.3
How to reproduce:
1. Create a network namespace for running transmission-gtk (for the
purposes of this demonstration it does not matter that the new
namespace we create does not have any internet connectivity):
$ sudo ip netns add foo
$ sudo -E ip netns exec foo sudo -E -u $USER bash
2. Now try starting transmission-gtk in that namespace and observe
failure:
$ transmission-gtk &
[1] 2013757
(transmission-gtk:2013757): Gtk-WARNING **: 21:13:37.265: Failed to open
display
[1]+ Exit 1 transmission-gtk
3. Check why it fails with strace (observe it gets "permission denied"
when trying to connect to wayland socket):
$ strace transmission-gtk
execve("/usr/bin/transmission-gtk", ["transmission-gtk"], 0x7fff327128d0 /*
67 vars */) = 0
[..]
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5
connect(5, {sa_family=AF_UNIX, sun_path="/run/user/1000/wayland-0"}, 27) = -1
EACCES (Permission denied)
[..]
exit_group(1) = ?
+++ exited with 1 +++
4. Also observe messages such as the following appear in
/var/log/syslog:
2024-10-22T19:32:27.557750+03:00 XXX kernel: audit: type=1400
audit(1729614747.556:11615): apparmor="ALLOWED" operation="connect"
class="file" info="Failed name lookup - disconnected path" error=-13
profile="transmission-gtk" name="run/user/1000/wayland-0" pid=1978576
comm="transmission-gt" requested_mask="wr" denied_mask="wr" fsuid=1000
ouid=1000
5. Implement workaround (add "attach_disconnected" to apparmor profile
flags):
$ sudo sed -i 's/transmission-gtk flags=(complain)/transmission-gtk
flags=(complain,attach_disconnected)/' /etc/apparmor.d/transmission
$ sudo apparmor_parser -r /etc/apparmor.d/transmission
6. Observe now it starts successfully in the same network namespace:
$ transmission-gtk &
$
I do not know what is the correct way to fix this properly. I am not familiar
enough with apparmor. According to apparmor.d(5) manual page that
"attach_disconnected" flag should not be used except for debugging and policy
development.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3
ProcVersionSignature: Ubuntu 6.8.0-45.45-generic 6.8.12
Uname: Linux 6.8.0-45-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: GNOME
Date: Tue Oct 22 21:06:02 2024
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-45-generic
root=/dev/mapper/vgubuntu-root ro quiet splash i8042.noaux vt.handoff=7
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: apparmor
UpgradeStatus: Upgraded to noble on 2024-08-30 (53 days ago)
modified.conffile..etc.apparmor.d.transmission: [modified]
modified.conffile..etc.init.d.apport: [modified]
mtime.conffile..etc.apparmor.d.transmission: 2024-10-22T20:45:07.247425
mtime.conffile..etc.init.d.apport: 2024-07-22T17:59:07
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2085377/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
