Is this the full set of denials being reported for this failure? The reported denials seem unlikely to cause the reported problem, and are a separate issue with the confinement.
The rules indicated in comment #2 would not cause the reported denial messages. The above denials are caused by 2 unix sockets that are being setup and passed in by bwrap. It would take further investigation to figure out their purpose. AppArmor is switching those unix sockets to a special null character device, resulting in the third denial with the name="apparmor/.null" -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2120439 Title: Pika Backup fails to mount backup because of apparmor fusermount3 Status in apparmor package in Ubuntu: Confirmed Bug description: This bug has been reported by several users to Pika Backup's GitLab, and the maintainers have determined that the underlying issue is in Ubuntu's apparmor package. Here is the upstream bug report: https://gitlab.gnome.org/World/pika-backup/-/issues/613 This issue is found on Ubuntu 25.04, with apparmor 4.1.0~beta5-0ubuntu14, while running Pika Backup 0.7.4 installed using Flatpak using this command: flatpak install flathub org.gnome.World.PikaBackup When browsing an archive in Pika Backup, the operation fails with this error shown to the user: "sending file descriptor: bad file descriptor". Here are the log operations, showing that AppArmor's fusermount3 profile is causing this issue: Aug 12 12:58:39 kernel: audit: type=1400 audit(1754996319.586:232): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=3920 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="bwrap" Aug 12 12:58:39 kernel: audit: type=1400 audit(1754996319.586:233): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=3920 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="unpriv_bwrap" Aug 12 12:58:39 kernel: audit: type=1400 audit(1754996319.586:234): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="apparmor/.null" pid=3920 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 This is the workaround: sudo aa-disable /etc/apparmor.d/fusermount3 I've attached /etc/apparmor.d/fusermount3 to this bug report. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2120439/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
