[Bug 2148075] Re: Nautilus incorrectly marks thumbnails as failed although thumbnailers work correctly

Mon, 13 Apr 2026 05:10:53 -0700 

They're the same root issue. The security team are closing a potential
for a bypass by removing these profiles.

According to the documentation[1], the correct approach is install the
bwrap-userns-restrict profile. I downloaded it from [2], but there's
warnings in the upstream docs that this profile isn't production ready
and could break other software (like Flatpak), but I verified at least
it restores Nautilus thumbnailing,

sudo cp bwrap-userns-restrict /etc/apparmor.d/bwrap-userns-restrict
sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict

DING looks like it simply restored the original profile, which as I
understand reintroduces the potential for a security bypass[3]. It's not
recommended, but the same could be done for Nautilus as another
workaround,

cat <<EOF | sudo tee /etc/apparmor.d/nautilus
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile nautilus /usr/bin/nautilus flags=(unconfined) {
  userns,
  # Site-specific additions and overrides.  See local/README for details.
  include if exists <local/nautilus>
}
EOF
sudo apparmor_parser -r /etc/apparmor.d/nautilus

Of course, this undoes the security fix, which is why I wouldn't
recommend doing that.

I've asked for advice on what the right fix is for this regression is in
the meantime[4].

Thank you for the report.

[1] 
https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007
[2] 
https://gitlab.com/apparmor/apparmor/-/raw/1979af7710d0f38db6680bd7c19c80902f11f969/profiles/apparmor/profiles/extras/bwrap-userns-restrict
[3] 
https://salsa.debian.org/gnome-team/shell-extensions/gnome-shell-extension-desktop-icons-ng/-/merge_requests/4
[4] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2142792/comments/6

-- 
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to nautilus in Ubuntu.
https://bugs.launchpad.net/bugs/2148075

Title:
  Nautilus incorrectly marks thumbnails as failed although thumbnailers
  work correctly

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2148075/+subscriptions


-- 
desktop-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs

Reply via email to