This is a mix of issues 1. disconnected path The failures with info="Failed name lookup - disconnected path" are due to fusermount3 being run in a mount namespace, and trying to access fds that it does not have access to. This is likely due to flatpak's sandbox design, and its broken assumption that it can get away with doing fd passing without mediation.
We can subdivide the disconnected path issue further by, those specifying name="apparmor/.null" and the rest. The name="apparmor/.null" are not the actual file access, but fds that were inherited, and passed down from a parent. To find what the actual access for these is you will need to find the DENIED messages with operation="file_inherit". There are a couple of disconnect path denials that are also file inherit name="dev/null" name="app/Cryptomator/lib/runtime/lib/modules" I am not sure why either of these is being passed by openfd. I would expect those to be opened if needed within the container. This is not just a case of accessing these via a portal, and it passing the open fd into the container. Its a case of the parent not closing fd for these. As such these are actually probably not a problem. Especially the dev/null one that might be on the stderr/stdout descriptors as apparmor will replace these with access to a special null dev it controls apparmor/.null 2. file_inherit of network AppArmor controls access to open fds being passed into the application by a parent process under a different confinement. In this case we are looking at networking separate from the file access above. These are all open unix domain sockets to bwrap, possibly setup for portal access. We need to investigate why bwrap would be setting these up, and what the implication is. Generally stuff like this is setup as a way to punch holes in security. Before adding those to the fusermnt3 profile. Overall it looks like we are going to have to setup some conditionals and treat fusermnt3 differently when run under flatpak. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2111205 Title: fusermount3 profile blocks libfuse module in flatpak To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111205/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
