Thanks for these updates. I added a few more steps to the test plan which should not be a problem to execute.
** Description changed: [ Impact ] The previous SRU (4.0.1really4.0.1-0ubuntu0.24.04.6, LP: #2143863, #2142792) removed a profile for the nautilus file browser, which broke thumbnailing due to the unprivileged userns restriction. Because the removal of the nautilus profile is cleanly separable from the other changes of that SRU, we propose specifically reverting only the profile removal without reverting the unrelated changes. However, the thumbnail generation failures are cached, necessitating the addition of a user session migration to clean up thumbnail generation failures. [ Update instructions ] The removal of cached thumbnail failures should be handled by the AppArmor package upgrade upon next login, but the following steps can be done manually if the migration script failed to run upon the next login: - Close all instances of the Nautilus file browser - Remove the ~/.cache/thumbnails/fail/gnome-thumbnail-factory directory (if it exists), along with all files within it - - Reboot + - Reboot [ Test Plan ] Before upgrading the AppArmor package: - Without using the Nautilus file browser, place an image file onto the system in a location other than the Desktop. This can be done via e.g. scp or by using a browser to download an image. - Use nautilus to open the containing directory of the image file, and verify that thumbnail generation fails. If it succeeds, the bug is not present on the system, and the system should not be used to test the update. After upgrading the AppArmor package: + - verify that the system is requesting a reboot - Reboot the system so that the migration script can be run upon next login. - Verify that the nautilus profile has been restored by running `sudo aa-status` and looking for nautilus in the list of loaded profiles. - Verify that the ~/.cache/thumbnails/fail/gnome-thumbnail-factory directory is no longer present. - Use nautilus to open the same containing directory from before, and verify that thumbnail generation succeeds. - - Without using the Nautilus file browser, place a different image file onto the system in a location other than the Desktop. + - Without using the Nautilus file browser, place a different image file onto the system in a location other than the Desktop. - Use nautilus to open the containing directory of the newly downloaded image file, and verify that thumbnail generation succeeds. If the newly downloaded file thumbnails successfully while the old one does not, this means that the thumbnail cache removal migration script did not run successfully, and the test plan should be considered to have failed. [ Where problems could occur ] Restoring the profile reintroduces a unprivileged userns restriction bypass, where removing this bypass was one of the goals of the original SRU, as detailed in LP: #2142792 and https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace- restriction/58007. Properly closing this bypass without breaking thumbnailing will require a subsequent SRU that removes the nautilus unconfined profile while adding a different one that allows the thumbnailer to succeed. [ Other Info ] - This is a partial revert of an SRU (4.0.1really4.0.1-0ubuntu24.04.6, LP: #2143863). While restoring the profile will fix thumbnail generation for new files, a migration script has also been added to remove the ~/.cache/thumbnails/fail/gnome-thumbnail-factory directory in order for the thumbnailer to retry the failed generation of existing thumbnails. An "Update Instructions" section has also been added above to provide manual steps if the migration script fails to run. - Nautilus uses bwrap as a sandbox when generating thumbnails, and bwrap's usage of unprivileged user namespaces was what led to the nautilus profile having been made in the first place. A specialized bwrap profile, bwrap-userns-restrict, was introduced in Plucky and later releases and has received substantial usage in production since then. Thus, no updates are needed for releases Questing and later, and the followup SRU mentioned above will involve removing the nautilus profile (again), adding bwrap-userns-restrict to avoid breaking thumbnailing, and testing to catch any breakage that might be caused by the introduction of bwrap-userns-restrict. ----Original bug report After a recent update of AppArmor (version 4.0.1really4.0.1-0ubuntu0.24.04.6), the AppArmor profile for Nautilus (/etc/apparmor.d/nautilus) was removed. This results in thumbnails no longer being displayed in Nautilus. **Steps to reproduce:** 1. Update AppArmor to version 4.0.1really4.0.1-0ubuntu0.24.04.6. 2. Notice that the file /etc/apparmor.d/nautilus is missing. 3. Open Nautilus: thumbnails are no longer displayed. **Temporary workaround:** Manually restore the /etc/apparmor.d/nautilus profile with the following content: --- # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi <abi/4.0>, include <tunables/global> profile nautilus /usr/bin/nautilus flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/nautilus> } --- Then reload the profile with: sudo apparmor_parser -r /etc/apparmor.d/nautilus This restores thumbnail display. **Relevant logs:** - Before the update: the "nautilus" profile was present in the AppArmor profile list (see aa-status). - After the update: the profile is missing, and thumbnails no longer appear. **Impact:** This bug prevents users from seeing file previews in Nautilus, making folder navigation less efficient. **Ubuntu version:** Ubuntu 24.04 LTS **AppArmor version:** 4.0.1really4.0.1-0ubuntu0.24.04.6 ** Description changed: [ Impact ] The previous SRU (4.0.1really4.0.1-0ubuntu0.24.04.6, LP: #2143863, #2142792) removed a profile for the nautilus file browser, which broke thumbnailing due to the unprivileged userns restriction. Because the removal of the nautilus profile is cleanly separable from the other changes of that SRU, we propose specifically reverting only the profile removal without reverting the unrelated changes. However, the thumbnail generation failures are cached, necessitating the addition of a user session migration to clean up thumbnail generation failures. [ Update instructions ] The removal of cached thumbnail failures should be handled by the AppArmor package upgrade upon next login, but the following steps can be done manually if the migration script failed to run upon the next login: - Close all instances of the Nautilus file browser - Remove the ~/.cache/thumbnails/fail/gnome-thumbnail-factory directory (if it exists), along with all files within it - Reboot [ Test Plan ] Before upgrading the AppArmor package: - Without using the Nautilus file browser, place an image file onto the system in a location other than the Desktop. This can be done via e.g. scp or by using a browser to download an image. - Use nautilus to open the containing directory of the image file, and verify that thumbnail generation fails. If it succeeds, the bug is not present on the system, and the system should not be used to test the update. After upgrading the AppArmor package: - verify that the system is requesting a reboot - Reboot the system so that the migration script can be run upon next login. - Verify that the nautilus profile has been restored by running `sudo aa-status` and looking for nautilus in the list of loaded profiles. - Verify that the ~/.cache/thumbnails/fail/gnome-thumbnail-factory directory is no longer present. - Use nautilus to open the same containing directory from before, and verify that thumbnail generation succeeds. - Without using the Nautilus file browser, place a different image file onto the system in a location other than the Desktop. - Use nautilus to open the containing directory of the newly downloaded image file, and verify that thumbnail generation succeeds. + - reinstall the same apparmor update (apt install --reinstall apparmor), logout, login, and verify that this time the thumbnail failed cache directory is NOT removed, and also that there is NO reboot request (no /var/run/reb* file). If the newly downloaded file thumbnails successfully while the old one does not, this means that the thumbnail cache removal migration script did not run successfully, and the test plan should be considered to have failed. [ Where problems could occur ] Restoring the profile reintroduces a unprivileged userns restriction bypass, where removing this bypass was one of the goals of the original SRU, as detailed in LP: #2142792 and https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace- restriction/58007. Properly closing this bypass without breaking thumbnailing will require a subsequent SRU that removes the nautilus unconfined profile while adding a different one that allows the thumbnailer to succeed. [ Other Info ] - This is a partial revert of an SRU (4.0.1really4.0.1-0ubuntu24.04.6, LP: #2143863). While restoring the profile will fix thumbnail generation for new files, a migration script has also been added to remove the ~/.cache/thumbnails/fail/gnome-thumbnail-factory directory in order for the thumbnailer to retry the failed generation of existing thumbnails. An "Update Instructions" section has also been added above to provide manual steps if the migration script fails to run. - Nautilus uses bwrap as a sandbox when generating thumbnails, and bwrap's usage of unprivileged user namespaces was what led to the nautilus profile having been made in the first place. A specialized bwrap profile, bwrap-userns-restrict, was introduced in Plucky and later releases and has received substantial usage in production since then. Thus, no updates are needed for releases Questing and later, and the followup SRU mentioned above will involve removing the nautilus profile (again), adding bwrap-userns-restrict to avoid breaking thumbnailing, and testing to catch any breakage that might be caused by the introduction of bwrap-userns-restrict. ----Original bug report After a recent update of AppArmor (version 4.0.1really4.0.1-0ubuntu0.24.04.6), the AppArmor profile for Nautilus (/etc/apparmor.d/nautilus) was removed. This results in thumbnails no longer being displayed in Nautilus. **Steps to reproduce:** 1. Update AppArmor to version 4.0.1really4.0.1-0ubuntu0.24.04.6. 2. Notice that the file /etc/apparmor.d/nautilus is missing. 3. Open Nautilus: thumbnails are no longer displayed. **Temporary workaround:** Manually restore the /etc/apparmor.d/nautilus profile with the following content: --- # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi <abi/4.0>, include <tunables/global> profile nautilus /usr/bin/nautilus flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/nautilus> } --- Then reload the profile with: sudo apparmor_parser -r /etc/apparmor.d/nautilus This restores thumbnail display. **Relevant logs:** - Before the update: the "nautilus" profile was present in the AppArmor profile list (see aa-status). - After the update: the profile is missing, and thumbnails no longer appear. **Impact:** This bug prevents users from seeing file previews in Nautilus, making folder navigation less efficient. **Ubuntu version:** Ubuntu 24.04 LTS **AppArmor version:** 4.0.1really4.0.1-0ubuntu0.24.04.6 ** Changed in: apparmor (Ubuntu Noble) Status: In Progress => Fix Committed ** Tags added: verification-needed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148074 Title: "AppArmor update removes /etc/apparmor.d/nautilus profile, breaking thumbnails in Nautilus (Ubuntu 24.04)" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2148074/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
