Public bug reported:
The /etc/apparmor.d/steam profile shipped with Ubuntu 24.04 prevents Steam from
running with the error "Steam now requires
user namespaces to be enabled."
The profile's comment states it "allows everything and only exists to give
the application a name instead of having the label
unconfined" but it uses flags=(complain) instead of flags=(unconfined),
causing child processes like bwrap and
steam-runtime-check-requirements to be restricted.
Steps to reproduce:
1. Fresh Ubuntu 24.04 with default AppArmor configuration
2. Install Steam via apt install steam-launcher
3. Run steam
4. Observe error: "Steam now requires user namespaces to be enabled"
Verification that user namespaces work outside the profile:
$ unshare --user --map-root-user echo "works"
works
$
/home/$USER/.local/share/Steam/ubuntu12_32/steam-runtime/amd64/usr/bin/steam-runtime-check-requirements
--verbose
steam-runtime-check-requirements: I: No problems detected
Verification that the steam profile blocks it:
$ aa-exec -p steam --
/home/$USER/.local/share/Steam/ubuntu12_32/steam-runtime/amd64/usr/bin/steam-runtime-check-requirements
--verbose
steam-runtime-check-requirements: W: Child process exited with code 1: bwrap:
setting up uid map: Permission denied
Steam now requires user namespaces to be enabled.
Current broken profile:
profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(complain) {
userns,
@{exec_path} mrix,
include if exists <local/steam>
}
Fix:
Change flags=(complain) to flags=(unconfined):
profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(unconfined) {
userns,
include if exists <local/steam>
}
Then reload: sudo apparmor_parser -r /etc/apparmor.d/steam
Environment:
- Ubuntu 24.04
- Kernel 6.17.0-8-generic
- steam-launcher 1:1.0.0.85
- apparmor loaded with landlock, yama, apparmor, ima, evm
Notes:
The flatpak profile in the same package correctly uses flags=(unconfined).
The steam profile appears to have been intended to
work the same way based on its comment, but has the wrong flags.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2137425
Title:
Steam AppArmor profile blocks user namespaces despite claiming to be
unconfined
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2137425/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
