[Touch-packages] [Bug 2051454] Re: pipewire wireplumber can not detect the sound output device when using an unofficial linux kernel

[John Johansen]

A slightly revised version of this kernel should be showing up in the
Ubuntu unstable kernel builds this week.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2051454

Title:
  pipewire wireplumber can not detect the sound output device  when
  using an unofficial linux kernel

Status in apparmor package in Ubuntu:
  Confirmed
Status in pipewire package in Ubuntu:
  Confirmed
Status in wireplumber package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 24.04 noble

  I tested on Kernel-6.7.2, 6.7.1, 6.6.8, don't work.

  relating service status:
   
  gsd-media-keys[6441]: gvc_mixer_card_get_index: assertion 'GVC_IS_MIXER_CARD 
(card)' failed

  pipewire-pulse[5768]: mod.protocol-pulse: client 0x5e701af4f9a0 [Mutter]: 
ERROR command:-1 (invalid) tag:418 error:25 (Input/output error)
  pipewire-pulse[5768]: mod.protocol-pulse: client 0x5e701af4f9a0 [Mutter]: 
ERROR command:-1 (invalid) tag:426 error:25 (Input/output error)
  pipewire-pulse[5298]: default: snap_get_audio_permissions: failed to get the 
AppArmor info.

  wireplumber[61568]:  si-standard-link: 
in/out items are not valid anymore
  wireplumber[61568]:  2 of 2 PipeWire links 
failed to activate

  It's worked on kernel linux-image-6.5.0-14-generic.

  I built the same version 1.0.1 from the
  https://gitlab.freedesktop.org/pipewire source code, The sound card
  can be detected normally and shown in the gnome setting.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2051454/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

We have found that allowing the user namespace creation, and then
denying capabilities is in general handled much better by KDE. The the
case of the plasmashell and the browswer widget denying the creation of
the user namespace would cause a crash with a SIGTRAP backtrace, where
allowing the creation of the userns and then denying capabilities within
the user namespace would result in the browser widget falling back to a
sandbox that didn't use user namespaces, not ideal but better than a
crash. To make sure the widget was using the full sandbox we gave it a
profile (see QtWebEngineProcess in /etc/apparmor.d/plasmashell).

The apparmor package is adding a base set of profiles, including one for
the plasmashell and the unprivileged_userns profile.

We are willing to carry profiles in the apparmor package but are also
happy for other packages to carry them. Generally speaking, having the
profile carried in the package means its easier for the package
maintainer to update the profile, if that is something the package
maintainer is willing to do.

We are more than willing to take in profiles and patches to profiles, or
allow a maintainer to claim some profiles and move them out of the
apparmor package. What ever is best for the maintainer.

AppArmor does have a second set of profiles that are not installed by
default in the apparmor-profiles package. These profiles once installed
are not enabled by default but must be selectively enabled by the user.
If you are looking for a broader set of profiles as a base to start from
there is also the apparmor.d project
https://github.com/roddhjav/apparmor.d. They aren't tuned for ubuntu but
they can be a good starting point if a profile is needed.


Note: the current apparmor package doesn't allow you to specify the userns 
transition in policy. A new version of the apparmor package is coming that will 
allow it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akregator package in Ubuntu:
  Confirmed
Status in angelfish package in Ubuntu:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Confirmed
Status in devhelp package in Ubuntu:
  Confirmed
Status in digikam package in Ubuntu:
  Confirmed
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in evolution package in Ubuntu:
  Confirmed
Status in falkon package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Confirmed
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Confirmed
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kiwix package in Ubuntu:
  Confirmed
Status in konqueror package in Ubuntu:
  Confirmed
Status in kontact package in Ubuntu:
  Confirmed
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Confirmed
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Confirmed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Confirmed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2052489] Re: Mate Daily Graphic Layer does not come up - apparmor denied snap desktop integration

[John Johansen]

Note: snap now vendors apparmor so reinstalling/removing the system
apparmor package with not affect snapd's use of apparmor.

You can temporarily (for the boot) disable apparmor in the grub command
line by adding apparmor=0 to the kernel parameters.

>From the logs the following adjustments need to be done to snap policy,
after fixing these new denials may be encountered.

The firefox denial is weird, and I have to ask why is root trying to run 
firefox. The likely culprits are
/snap/snapd/20671/usr/lib/snapd/snap-confine and 
snap.snapd-desktop-integration.snapd-desktop-integration.

Can you try copying these profiles out of
/var/lib/snapd/apparmor/profiles/ modifying them by putting
flags=(complain) in the profile header, and then reloading them with
sudo apparmor_parser -r profile.file. This will temporarily place these
profiles in dev mode and if they are the source of the problem allow the
graphics layer to come up.


profile snap-update-ns.firefox
   /usr/local/share/  r,   # owner root, fsuid root


profile /snap/snapd/20671/usr/lib/snapd/snap-confine
   capability net_admin,
   capability perfmon,

profile snap.snapd-desktop-integration.snapd-desktop-integration
   /etc/gnutls/config  r,   # owner root, fsuid 1000
   /etc/gnutls/config  r,   # owner root, fsuid 1000

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2052489

Title:
  Mate Daily Graphic Layer does not come up - apparmor denied snap
  desktop integration

Status in apparmor package in Ubuntu:
  New

Bug description:
  Noble Mate Daily 20230205 ISO

  Boots up past Splash to black screen. Last errors in logs are about
  apparmor denied on snap desktop integration...

  So the graphics layer is being denied because of an apparmor error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052489/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2052557] [NEW] EXEC_MODE under prompting does not do profile transitions correctly

[John Johansen]

Public bug reported:

When a prompt rule that specifies an exec transition. The transition is
not handled correctly in several cases. Resulting in denials even if the
prompt is allowed.

When prompting is triggered by the prompt flag, the behavior depends if
an exec rule is matched (behavior becomes the same as the above prompt
rule), or if there is no matching exec rule.

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

** Description changed:

  When a prompt rule that specifies an exec transition. The transition is
  not handled correctly in several cases. Resulting in denials even if the
  prompt is allowed.
+ 
+ When prompting is triggered by the prompt flag, the behavior depends if
+ an exec rule is matched (behavior becomes the same as the above prompt
+ rule), or if there is no matching exec rule.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2052557

Title:
  EXEC_MODE under prompting does not do profile transitions correctly

Status in apparmor package in Ubuntu:
  New

Bug description:
  When a prompt rule that specifies an exec transition. The transition
  is not handled correctly in several cases. Resulting in denials even
  if the prompt is allowed.

  When prompting is triggered by the prompt flag, the behavior depends
  if an exec rule is matched (behavior becomes the same as the above
  prompt rule), or if there is no matching exec rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052557/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2052558] [NEW] prompting does not allow userspace to specify the execmode or target profile

[John Johansen]

Public bug reported:

Currently the prompting interface does not allow userspace to specify
the execmode to use, even if there is no matching exec rule in policy
(case caused by prompt flag).

Nor does it allow specifying the target profile (needed for certain exec
modes).

It also does not allow overriding of the mode like it allows for other
permissions.

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2052558

Title:
  prompting does not allow userspace to specify the execmode or target
  profile

Status in apparmor package in Ubuntu:
  New

Bug description:
  Currently the prompting interface does not allow userspace to specify
  the execmode to use, even if there is no matching exec rule in policy
  (case caused by prompt flag).

  Nor does it allow specifying the target profile (needed for certain
  exec modes).

  It also does not allow overriding of the mode like it allows for other
  permissions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052558/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

So the answer is it depends on how they are using unprivileged user
namespaces and how they react to them being denied, not every
application needs to patched separately.

Generally speaking gnome has been better tested than KDE had because
gnome being the Ubuntu default saw a lot more opt in testing in Lunar
and Mantic. There is also some differences in how gnome and KDE handle
their respective use of their respective browser components that has
made KDE current require more direct patching.

We do have some improvements coming down the pipes that will make it
easier to have a few some more generic profiles to cover different use
patterns. Eg. not all uses of user namespaces set up mappings for the
user, some will fallback to a degrade sandbox if an unprivileged user
namespace isn't available while others will refuse to function.

Scarlett us doing excellent work within the current limitations. That
work will continue to function once the improvements have landed, but it
is likely you will see refinements on the current work once those
improvements are available.

In general developers are going to have to become aware that user
namespaces are going to be more restricted going forward, as its not
just Canonical/apparmor pushing on this but SELinux, and likely other
LSMs as well in the future. Eg. I have seen BPF LSM using this, and I
expect to see some work on the smack side, because the original LSM hook
proposals for user namespace mediation came out some work they did.

As for Gnome devs being aware of this bug, yes some are but it has not
atm been a major issue for them. Long term I expect both KDE and gnome
to take this is a policy issue for the respective LSMs, except when it
surfaces code bugs, like some of their library code failing to check if
clone/unshare failed, leading to a crash.

Fixing policy to deal with how applications, gnome and KDE use user
namespaces will be largely an upstream LSM, or distro problem.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  In Progress
Status in apparmor package in Ubuntu:
  Confirmed
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Confirmed
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in evolution package in Ubuntu:
  Confirmed
Status in falkon package in Ubuntu:
  Fix Released
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  In Progress
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  In Progress
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  In Progress
Status in konqueror package in Ubuntu:
  In Progress
Status in kontact package in Ubuntu:
  In Progress
Status in marble package in Ubuntu:
  In Progress
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Confirmed
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Confirmed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  In Progress

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launch

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

One more addition, the current state of how unconfined deals with
unprivileged user namespaces is a temporary limitation. The afore
mentioned improvement will allow for more customization at the policy
level. The current fixed behavior will be the default.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  In Progress
Status in apparmor package in Ubuntu:
  Confirmed
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Confirmed
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in evolution package in Ubuntu:
  Confirmed
Status in falkon package in Ubuntu:
  Fix Released
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  In Progress
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  In Progress
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  In Progress
Status in konqueror package in Ubuntu:
  In Progress
Status in kontact package in Ubuntu:
  In Progress
Status in marble package in Ubuntu:
  In Progress
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Confirmed
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Confirmed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  In Progress

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages

[John Johansen]

responding to @intrigeri (sorry this got lost some how).

tldr: yes we are basically on the same page.

AppArmor does not fit into the 1400 range formats, every one of our
messages have some custom fields. Some of them could be
reformated/reworked to share more, but we would still need custom
fields.

Our message fields are in the common name=value format. So in that sense
they do fit in.

Kernel side this is fairly easy, we use common lsm_audit for the
messages we share in common, the code provides a callback to add your
own fields. Basically all that is needed is patch to allow different
number ranges to be used.

Userspace there needs to be some patching so LSM specific fields are
known about.

Whether is best to allocate new fields in a single number (say 1500),
with no fixed number of fields to output or it better to split into a
range of based on message type, I am not picky. When 1500 was taken away
from us I think it was 1500-1505 that we used, but expect we wouldn't
use the same mappings today if we had a choice.

so we have the generic audit type that is carried { audit, allowed,
denied, killed, prompt, hint, status, error }

this could carried as a common field, or we could use an allocated block
for

we have rule class, which is another way things are broken down, its
things like { file, cap, network, dbus, ...} there are currently about
25 of them currently.

common fields that can occur within apparmor messages { operation, info,
error, namespace, profile, label }, some fields aren't output if not
needed. Eg. we are auditing an access to say /etc/shadow that is allowed
but we want an audit trail for error won't be output, if its a system
status message that is not generated by a profiles rule set, profile=
won't be used. This set does not lend itself to an audit range as they
each take on basically a string value.


Then within a given class there are set of fields, some of them are shared by 
several classes, but not all, and there are some that are only used by a single 
class. Some examples would be, most mediation class share requested= and 
denied= the values are class depended even those may be shared by a subset of 
classes.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1117804

Title:
  ausearch doesn't show AppArmor denial messages

Status in AppArmor:
  Confirmed
Status in audit package in Ubuntu:
  Confirmed
Status in linux package in Ubuntu:
  Incomplete

Bug description:
  The following command should display all AVC denials:

  ausearch -m avc

  However, it doesn't work with AppArmor denials. Here's a quick test
  case to generate a denial, search for it with ausearch, and see that
  no messages are displayed:

  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  

  ausearch claims that there are no matches, but there's a matching
  audit message if you look in audit.log:

  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

Erich,

yes the archive version is based on the ppa, with a couple small fixes
in the packaging. The ppa is going to get updated based the new archive
version + a few more patches.

Do you have some higher priority electron apps that you can point us at.
We will look into the Visual Studo and Element Desktop debs. Please keep
adding applications to the list. We want to cover as many out of tree
applications as we can.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  In Progress
Status in apparmor package in Ubuntu:
  Confirmed
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Confirmed
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in evolution package in Ubuntu:
  Confirmed
Status in falkon package in Ubuntu:
  Fix Released
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kgeotag package in Ubuntu:
  Confirmed
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  In Progress
Status in kontact package in Ubuntu:
  In Progress
Status in marble package in Ubuntu:
  In Progress
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Confirmed
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Confirmed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  In Progress

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

So appimages are interesting. They don't all need a profile. I have run
several that are not using user namespaces, or only need to be able to
create the user namespace and don't need capabilities so the default
unpriviled_userns profile works for them.

It is applications that need privileges within their namespace that are
problematic.

Right now no matter what we do, we are stuck with less than satisfactory
solutions. The user must physically intervene in some way to make it so
the application can run.

I see basically 3 options.

1. Just have the user fix manually, a really bad experience.
2. Seth's suggestion of creating a small script to create a template profile
3. have a default profile already loaded as part of the base set and go with 
the security label approach. ie. tag the appimage with an apparmor security 
xattr.

Neither 2, or 3 can determine the set of needed capabilities in advance,
but the current approach is to just grant the capabilities (unconfined
mode), we will be able to restrict that better in 24.10 but there just
isn't time to land the improved capabilities work for 24.04.

Approach 1 could address the capabilities but, that is an awful lot of
pain to put on the user.

All approaches will require user to have access to sudo because loading
profiles and creating the security xattr are privileged operations.

If aa-notify is installed we could alert the user, and give them
directions to a document explaining what to do. This would require some
work to seed aa-notify by default (would have to be approved by the
different flavors). To make this more amenable we could add a new
mode/default filter that only notifies for user namespace denials. This
is a small chunk of work that could be achieved in the next two weeks.


The long term goal is to create a behavior similar to what the mac is doing 
with downloaded applications. The unknown application will create a prompt and 
the user will need to go to the security center to enable it.

As for restraints on appimages, I wouldn't bother for 24.04, there just
isn't time. This side of things will get improvements as well. These
template profiles are just a start and are to get fleshed out in the
future. Prompting the user for certain accesses etc is coming in the
future as well. For now lets just focus on the basics of getting
applications to work.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  In Progress
Status in apparmor package in Ubuntu:
  Confirmed
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Confirmed
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in evolution package in Ubuntu:
  Confirmed
Status in falkon package in Ubuntu:
  Fix Released
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kgeotag package in Ubuntu:
  In Progress
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Confirmed
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in plasma-welcome package in Ubuntu:
  In Progress
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Confirmed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epipha

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

** Changed in: steam (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  In Progress
Status in apparmor package in Ubuntu:
  Confirmed
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Confirmed
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in evolution package in Ubuntu:
  Confirmed
Status in falkon package in Ubuntu:
  Fix Released
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kgeotag package in Ubuntu:
  In Progress
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Confirmed
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in plasma-welcome package in Ubuntu:
  In Progress
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Committed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2052489] Re: Mate Daily Graphic Layer does not come up - apparmor denied snap desktop integration

[John Johansen]

Changed apparmor task to invalid as lightdm is broken with apparmor
disabled (apparmor=0). We can change status if apparmor is a problem
after the current lightdm issue is fixed.


** Changed in: apparmor (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2052489

Title:
  Mate Daily Graphic Layer does not come up - apparmor denied snap
  desktop integration

Status in apparmor package in Ubuntu:
  Invalid
Status in lightdm package in Ubuntu:
  New

Bug description:
  Noble Mate Daily 20230205 ISO

  Boots up past Splash to black screen. Last errors in logs are about
  apparmor denied on snap desktop integration...

  So the graphics layer is being denied because of an apparmor error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052489/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

This is part of the alpha4 release in noble

** Changed in: kdeplasma-addons (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  New
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Committed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

This is part of the apparmor alpha4 release in noble


** Changed in: plasma-desktop (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  New
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Committed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@scarlet I think it is fair to mark these as Fixed released as they are
part of apparmor-alpha4 that is in noble.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  New
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Committed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble

[John Johansen]

Captured output of QRT test run on updated noble using Linux
6.8.0-11-generic #11-Ubuntu kernel and 4.0.0~beta2-0ubuntu3


** Attachment added: "Captured output of QRT test run"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+attachment/5753923/+files/qrt.output

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056496

Title:
  [FFe] AppArmor 4.0-beta2 + prompting support for noble

Status in apparmor package in Ubuntu:
  New

Bug description:
  AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1
  from landing pre feature freeze.

  Landing AppArmor 4.0-beta's will enable us to more easily track
  upstream bug fixes, and is needed to support network rules in
  prompting. The addition of the prompting patch on top of AppArmor 4.0
  is required to support snapd prompting in general for both file and
  network rules. Currently the prompting patch is not part of the
  upstream release but is part of the vendored apparmor in snapd. In
  ordered for snapd to be able to vendor the noble release of apparmor
  it requires support for prompting. The prompting patch is a straight
  rebase to AppArmor 4.0 of the patch that has been in testing in snapd
  prompting for more than six months.

  Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version

  Beta1 added three additional features that were not present in alpha4 
(current Noble).
  • support for fine grained (address based) IPv4 and IPv6 mediation (required 
for prompting to support networking).
  • aa-notify support message filters to reduce notifications
  • aa-logprof/genprof support for mount rules

  None of these features affect existing policy, which will continue to
  function under the abi that it was developed under. This can be seen
  in the regression testing below.

  I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add
  several bug fixes the most important are highlighted below with the
  full list available in the upstream release notes, available at
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1
  and
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2

  • new unconfined profiles in support of unprivileged user namespace mediation 
 
https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
  ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam
  • fix policy generation for non-af_inet rules (MR:1175)
  • Fix race when reading proc files (AABUG:355, MR:1157)
  • handle unprivileged_userns transition in userns tests (MR:1146)
  • fix usr-merge failures on exec and regex tests (MR:1146)

  
  This proposed change has been tested via the QA Regression Testing project, 
in particular with the specific test added in 
https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d

  
  The output of a test run is in the attached qrt.output file. Of which the 
summary is below
  Ran 62 tests in 811.542s

  OK (skipped=3)

  
  The changelog is available here
  
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes

  The prepared package is available via the ppa
  https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056496] [NEW] [FFe] AppArmor 4.0-beta2 + prompting support for noble

[John Johansen]

Public bug reported:

AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from
landing pre feature freeze.

Landing AppArmor 4.0-beta's will enable us to more easily track upstream
bug fixes, and is needed to support network rules in prompting. The
addition of the prompting patch on top of AppArmor 4.0 is required to
support snapd prompting in general for both file and network rules.
Currently the prompting patch is not part of the upstream release but is
part of the vendored apparmor in snapd. In ordered for snapd to be able
to vendor the noble release of apparmor it requires support for
prompting. The prompting patch is a straight rebase to AppArmor 4.0 of
the patch that has been in testing in snapd prompting for more than six
months.

Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version

Beta1 added three additional features that were not present in alpha4 (current 
Noble).
• support for fine grained (address based) IPv4 and IPv6 mediation (required 
for prompting to support networking).
• aa-notify support message filters to reduce notifications
• aa-logprof/genprof support for mount rules

None of these features affect existing policy, which will continue to
function under the abi that it was developed under. This can be seen in
the regression testing below.

I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add
several bug fixes the most important are highlighted below with the full
list available in the upstream release notes, available at
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2

• new unconfined profiles in support of unprivileged user namespace mediation  
https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam
• fix policy generation for non-af_inet rules (MR:1175)
• Fix race when reading proc files (AABUG:355, MR:1157)
• handle unprivileged_userns transition in userns tests (MR:1146)
• fix usr-merge failures on exec and regex tests (MR:1146)


This proposed change has been tested via the QA Regression Testing project, in 
particular with the specific test added in 
https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d


The output of a test run is in the attached qrt.output file. Of which the 
summary is below
Ran 62 tests in 811.542s

OK (skipped=3)


The changelog is available here
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes

The prepared package is available via the ppa
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056496

Title:
  [FFe] AppArmor 4.0-beta2 + prompting support for noble

Status in apparmor package in Ubuntu:
  New

Bug description:
  AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1
  from landing pre feature freeze.

  Landing AppArmor 4.0-beta's will enable us to more easily track
  upstream bug fixes, and is needed to support network rules in
  prompting. The addition of the prompting patch on top of AppArmor 4.0
  is required to support snapd prompting in general for both file and
  network rules. Currently the prompting patch is not part of the
  upstream release but is part of the vendored apparmor in snapd. In
  ordered for snapd to be able to vendor the noble release of apparmor
  it requires support for prompting. The prompting patch is a straight
  rebase to AppArmor 4.0 of the patch that has been in testing in snapd
  prompting for more than six months.

  Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version

  Beta1 added three additional features that were not present in alpha4 
(current Noble).
  • support for fine grained (address based) IPv4 and IPv6 mediation (required 
for prompting to support networking).
  • aa-notify support message filters to reduce notifications
  • aa-logprof/genprof support for mount rules

  None of these features affect existing policy, which will continue to
  function under the abi that it was developed under. This can be seen
  in the regression testing below.

  I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add
  several bug fixes the most important are highlighted below with the
  full list available in the upstream release notes, available at
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1
  and
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2

  • new unconfined profiles in support of unprivileged user namespace mediation 
 
https://discourse.ubuntu.com/t/spec-unprivileged-user-name

[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble

[John Johansen]

** Description changed:

  AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from
  landing pre feature freeze.
  
  Landing AppArmor 4.0-beta's will enable us to more easily track upstream
  bug fixes, and is needed to support network rules in prompting. The
  addition of the prompting patch on top of AppArmor 4.0 is required to
  support snapd prompting in general for both file and network rules.
  Currently the prompting patch is not part of the upstream release but is
  part of the vendored apparmor in snapd. In ordered for snapd to be able
  to vendor the noble release of apparmor it requires support for
  prompting. The prompting patch is a straight rebase to AppArmor 4.0 of
  the patch that has been in testing in snapd prompting for more than six
  months.
  
  Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version
  
  Beta1 added three additional features that were not present in alpha4 
(current Noble).
  • support for fine grained (address based) IPv4 and IPv6 mediation (required 
for prompting to support networking).
  • aa-notify support message filters to reduce notifications
  • aa-logprof/genprof support for mount rules
  
  None of these features affect existing policy, which will continue to
  function under the abi that it was developed under. This can be seen in
  the regression testing below.
  
  I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add
  several bug fixes the most important are highlighted below with the full
  list available in the upstream release notes, available at
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2
  
  • new unconfined profiles in support of unprivileged user namespace mediation 
 
https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
  ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam
  • fix policy generation for non-af_inet rules (MR:1175)
  • Fix race when reading proc files (AABUG:355, MR:1157)
  • handle unprivileged_userns transition in userns tests (MR:1146)
  • fix usr-merge failures on exec and regex tests (MR:1146)
  
- 
- This proposed change has been tested via the QA Regression Testing project, 
in particular with the specific test added in 
https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d
- 
+ This proposed change has been tested via the QA Regression Testing
+ project, in particular with the specific test added in
+ https://git.launchpad.net/qa-regression-
+ testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d
  
  The output of a test run is in the attached qrt.output file. Of which the 
summary is below
- Ran 62 tests in 811.542s
+ Ran 62 tests in 811.542s
  
- OK (skipped=3)
+ OK (skipped=3)
  
+ apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of 
March 7) noble systems. Reboot tests have been done, as well as booting in
+ to different kernel versions.
+6.8.0-11-generic #11-Ubuntu
+6.5.0-14-generic #14-Ubuntu
+6.7.0 (custom build)
+6.8-rc3 (custom build)
  
  The changelog is available here
  
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes
  
  The prepared package is available via the ppa
  https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056496

Title:
  [FFe] AppArmor 4.0-beta2 + prompting support for noble

Status in apparmor package in Ubuntu:
  New

Bug description:
  AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1
  from landing pre feature freeze.

  Landing AppArmor 4.0-beta's will enable us to more easily track
  upstream bug fixes, and is needed to support network rules in
  prompting. The addition of the prompting patch on top of AppArmor 4.0
  is required to support snapd prompting in general for both file and
  network rules. Currently the prompting patch is not part of the
  upstream release but is part of the vendored apparmor in snapd. In
  ordered for snapd to be able to vendor the noble release of apparmor
  it requires support for prompting. The prompting patch is a straight
  rebase to AppArmor 4.0 of the patch that has been in testing in snapd
  prompting for more than six months.

  Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version

  Beta1 added three additional features that were not present in alpha4 
(current Noble).
  • support for fine grained (address based) IPv4 and IPv6 mediation (required 
for prompting to support networking).
  • aa-notify support message filters to reduce notifications
  • aa-logprof/genprof support for mount rules

  None of these features affect existing policy, which

[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble

[John Johansen]

** Description changed:

  AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from
  landing pre feature freeze.
  
  Landing AppArmor 4.0-beta's will enable us to more easily track upstream
  bug fixes, and is needed to support network rules in prompting. The
  addition of the prompting patch on top of AppArmor 4.0 is required to
  support snapd prompting in general for both file and network rules.
  Currently the prompting patch is not part of the upstream release but is
  part of the vendored apparmor in snapd. In ordered for snapd to be able
  to vendor the noble release of apparmor it requires support for
  prompting. The prompting patch is a straight rebase to AppArmor 4.0 of
  the patch that has been in testing in snapd prompting for more than six
  months.
  
  Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version
  
  Beta1 added three additional features that were not present in alpha4 
(current Noble).
  • support for fine grained (address based) IPv4 and IPv6 mediation (required 
for prompting to support networking).
  • aa-notify support message filters to reduce notifications
  • aa-logprof/genprof support for mount rules
  
  None of these features affect existing policy, which will continue to
  function under the abi that it was developed under. This can be seen in
  the regression testing below.
  
  I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add
  several bug fixes the most important are highlighted below with the full
  list available in the upstream release notes, available at
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2
  
  • new unconfined profiles in support of unprivileged user namespace mediation 
 
https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
  ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam
  • fix policy generation for non-af_inet rules (MR:1175)
  • Fix race when reading proc files (AABUG:355, MR:1157)
  • handle unprivileged_userns transition in userns tests (MR:1146)
  • fix usr-merge failures on exec and regex tests (MR:1146)
  
  This proposed change has been tested via the QA Regression Testing
  project, in particular with the specific test added in
  https://git.launchpad.net/qa-regression-
  testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d
  
  The output of a test run is in the attached qrt.output file. Of which the 
summary is below
  Ran 62 tests in 811.542s
  
  OK (skipped=3)
  
- apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of 
March 7) noble systems. Reboot tests have been done, as well as booting in
- to different kernel versions.
-6.8.0-11-generic #11-Ubuntu
-6.5.0-14-generic #14-Ubuntu
-6.7.0 (custom build)
-6.8-rc3 (custom build)
+ apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of 
March 7) noble systems. Boot/Reboot and regression tests have been done, 
against 
+ different kernel versions.
+    6.8.0-11-generic #11-Ubuntu
+    6.5.0-14-generic #14-Ubuntu
+    6.7.0 (upstream custom build)
+    6.8-rc3 (upstream custom build)
  
  The changelog is available here
  
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes
  
  The prepared package is available via the ppa
  https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056496

Title:
  [FFe] AppArmor 4.0-beta2 + prompting support for noble

Status in apparmor package in Ubuntu:
  New

Bug description:
  AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1
  from landing pre feature freeze.

  Landing AppArmor 4.0-beta's will enable us to more easily track
  upstream bug fixes, and is needed to support network rules in
  prompting. The addition of the prompting patch on top of AppArmor 4.0
  is required to support snapd prompting in general for both file and
  network rules. Currently the prompting patch is not part of the
  upstream release but is part of the vendored apparmor in snapd. In
  ordered for snapd to be able to vendor the noble release of apparmor
  it requires support for prompting. The prompting patch is a straight
  rebase to AppArmor 4.0 of the patch that has been in testing in snapd
  prompting for more than six months.

  Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version

  Beta1 added three additional features that were not present in alpha4 
(current Noble).
  • support for fine grained (address based) IPv4 and IPv6 mediation (required 
for prompting to support networking).
  • aa-notify support message filters to reduce notifications
  • aa-logprof/genprof support for mount rules

  None 

[Touch-packages] [Bug 2056517] Re: vsode profile still broken

[John Johansen]

The fix for vscode is currently in apparmor 4.0.0-beta2-0ubuntu3 pending
a Feature Freeze exception. If the feature freeze exception is not
granted then the fix will be moved to a bug patch on the current
apparmor 4.0.0-alpha4

Atm the fix is available via ppa https://launchpad.net/~apparmor-
dev/+archive/ubuntu/apparmor-ffe

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056517

Title:
  vsode profile still broken

Status in apparmor package in Ubuntu:
  New

Bug description:
  Ubuntu 24.04, VSCode installed via their repo
  (https://packages.microsoft.com/repos/code)

  Some updates ago apparmor gained an exception for /usr/bin/code to
  work again.

  The desktop file uses `/usr/share/code/code` though (see
  /usr/share/applications/code.desktop), so starting vscode from the
  dock, or from the app search results in a crash:

  /usr/share/code/code
  [88564:0308/080414.682744:FATAL:credentials.cc(127)] Check failed: . : 
Permission denied (13)
  zsh: trace trap (core dumped)  /usr/share/code/code

  Could the profile be fixed to include all common ways to start vscode?

  My current workaround is to run this on every boot:

  sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

  thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056517] Re: vsode profile still broken

[John Johansen]

I won't promise we will get to fixing PHPStorm or Jetbrains before
release, but without a bug they certainly won't get fixed, so yes it is
worth filing a bug for them.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056517

Title:
  vsode profile still broken

Status in apparmor package in Ubuntu:
  New

Bug description:
  Ubuntu 24.04, VSCode installed via their repo
  (https://packages.microsoft.com/repos/code)

  Some updates ago apparmor gained an exception for /usr/bin/code to
  work again.

  The desktop file uses `/usr/share/code/code` though (see
  /usr/share/applications/code.desktop), so starting vscode from the
  dock, or from the app search results in a crash:

  /usr/share/code/code
  [88564:0308/080414.682744:FATAL:credentials.cc(127)] Check failed: . : 
Permission denied (13)
  zsh: trace trap (core dumped)  /usr/share/code/code

  Could the profile be fixed to include all common ways to start vscode?

  My current workaround is to run this on every boot:

  sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

  thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056517] Re: VS Code profile still broken.

[John Johansen]

This is now moving forward and should show up in proposed soon.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056517

Title:
  VS Code profile still broken.

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 24.04, VSCode installed via their repo
  (https://packages.microsoft.com/repos/code)

  Some updates ago apparmor gained an exception for /usr/bin/code to
  work again.

  The desktop file uses `/usr/share/code/code` though (see
  /usr/share/applications/code.desktop), so starting vscode from the
  dock, or from the app search results in a crash:

  /usr/share/code/code
  [88564:0308/080414.682744:FATAL:credentials.cc(127)] Check failed: . : 
Permission denied (13)
  zsh: trace trap (core dumped)  /usr/share/code/code

  Could the profile be fixed to include all common ways to start vscode?

  My current workaround is to run this on every boot:

  sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

  thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2039294] Re: apparmor docker

[John Johansen]

@gvarouchas, you need to be more specific. There are a couple interrelated 
issues in this bug. What is the exact Denial message you are getting. The will 
look something like the denial messages in comment 5. You can find them using
  sudo dmesg | grep DENIED
or
  journalctl -g apparmor

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039294

Title:
  apparmor docker

Status in docker:
  New
Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:Ubuntu 23.10
  Release:23.10
  Codename:   mantic

  
  Docker version 24.0.5, build 24.0.5-0ubuntu1

  
  Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all 
signals?) doesn't reach the target process. Works when apparmor is uninstalled.

  
  [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172626 
comm="runc" requested_mask="receive" denied_mask="receive" signal=term 
peer="/usr/sbin/runc"
  [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172633 
comm="runc" requested_mask="receive" denied_mask="receive" signal=kill 
peer="/usr/sbin/runc"

To manage notifications about this bug go to:
https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"

[John Johansen]

Yes, will do I added both reference you provided to the upstream merge
commit and all fixes/closes references will be going into the changelog.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056739

Title:
  apparmor="DENIED" operation="open" class="file" profile="virt-aa-
  helper" name="/etc/gnutls/config"

Status in apparmor package in Ubuntu:
  In Progress
Status in chrony package in Ubuntu:
  Won't Fix
Status in gnutls28 package in Ubuntu:
  Won't Fix
Status in libvirt package in Ubuntu:
  Won't Fix
Status in apparmor source package in Noble:
  In Progress
Status in chrony source package in Noble:
  Won't Fix
Status in gnutls28 source package in Noble:
  Won't Fix
Status in libvirt source package in Noble:
  Won't Fix

Bug description:
  Christian summarizes this after the great reports by Martin:

  gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3
  and added more later.

  Due to that anything linked against gnutls while being apparmor
  isolated now hits similar denials, preventing the desired effect of
  the config change BTW.

  I think for safety we WANT to always allow this access, otherwise
  people will subtly not have crypto control about the more important
  (those isolated) software. Because after the denial I'd expect this to
  not really disable it in the program linked to gnutls (details might
  vary depending what they really use gnutls for).

  I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now
  fixing a few but leaving this open in some others not spotted.

  I'd therefore suggest, but we need to discuss, to therefore change it
  in /etc/apparmor.d/abstractions/base.

  Therefore I'm adding gnutls (and Adrien) as well as apparmor to the
  bug tasks.

  
  --- --- --- --- --- --- --- --- --- --- --- ---
  --- --- --- --- --- --- --- --- --- --- --- ---

  
  Merely booting current noble cloud image with "chrony" installed causes this:

  audit: type=1400 audit(1710152842.540:107): apparmor="DENIED"
  operation="open" class="file" profile="/usr/sbin/chronyd"
  name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r"
  denied_mask="r" fsuid=0 ouid=0

  
  --- --- --- --- --- --- --- --- --- --- --- ---
  --- --- --- --- --- --- --- --- --- --- --- ---

  
  Running any VM in libvirt causes a new AppArmor violation in current noble. 
This is a regression, this didn't happen in any previous release.

  Reproducer:

    virt-install --memory 50 --pxe --virt-type qemu --os-variant
  alpinelinux3.8 --disk none --wait 0 --name test1

  (This is the simplest way to create a test VM. But it's form or shape
  doesn't matter at all).

  Results in lots of

  audit: type=1400 audit(1710146677.570:108): apparmor="DENIED"
  operation="open" class="file" profile="virt-aa-helper"
  name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper"
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  libvirt-daemon 10.0.0-2ubuntu1
  apparmor 4.0.0~alpha4-0ubuntu1
  libgnutls30:amd64 3.8.3-1ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2057943] Re: Can't disable or modify snap package apparmor rules

[John Johansen]

If you are admin of your system, you can manually replace snap profiles.
But there are some caveats in that snapd doesn't really want this. It
manages its profiles, dynamically regenerates and replaces them etc.

You are correct that the tooling doesn't work here. It expects the
abstractions to be in the same directory as the profile, which snapd
profiles dir doesn't do.

I put this as a wish list as its a feature development request to make
the tooling support abstractions in a different location than the
profile.


** Changed in: apparmor (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2057943

Title:
  Can't disable or modify snap package apparmor rules

Status in apparmor package in Ubuntu:
  New

Bug description:
  On Ubuntu 20.04 (and probably 22.04 and greater), it is impossible to
  disable snap chromium apparmor rules:

  root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure
  Can't find chromium.hook.configure in the system path list. If the name of 
the application
  is correct, please run 'which snap.chromium.hook.configure' as a user with 
correct PATH
  environment set up in order to find the fully-qualified path and
  use the full path as parameter.

  root@{HOSTNAME}:~# aa-complain snap.chromium.chromedriver -d
  /var/lib/snapd/apparmor/profiles

  ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
  root@{HOSTNAME}:~# aa-complain snap.chromium.chromium -d 
/var/lib/snapd/apparmor/profiles

  ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
  root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure -d 
/var/lib/snapd/apparmor/profiles

  ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global
  not found

  It seems like no one has an answer on how these overly restricted
  rules can be disabled:

  
https://askubuntu.com/questions/1267980/how-to-disable-apparmor-for-chromium-snap-ubuntu-20-04
  https://ubuntuforums.org/showthread.php?t=2410550
  https://ubuntuforums.org/showthread.php?t=2449022
  https://answers.launchpad.net/ubuntu/+source/apparmor/+question/701036

  So I just got rid of apparmor which doesn't seem like the solution I
  was after, but it works great now:

  sudo systemctl stop apparmor 
  sudo systemctl disable apparmor

  Please give us a way to modify (and keep the rules permanently
  modified even after snap updates) snap apparmor rules.

  Thank you!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[John Johansen]

the rejects here are all from the snap.element-desktop.element-desktop
profile. We will need to dig into that profiles permissions. If its
getting all the right paths correct then I suspect the peer_label match
might be the issue.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  New
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
member="GetAll" name=":1.45" mask="receive" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_signal"  bus="session" 
path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access
  ```

  Booting with `apparmor=0` set on the kernel command line fixes the
  issue with Element (apptray indicator appears, notifications show up).
  Obviously this is not a solution, but it does isolate AppArmor as
  being at least partially at fault.

  This issue seems to be somewhat similar to
  https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
  however it seems as if Element is trying to hit the right paths and
  interfaces and is still being denied (based on looking at the info in
  
https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go
  and comparing the paths and interfaces there with the paths and
  interfaces shown by snappy-debug.

  I talked about this issue with Erich Eickmeyer and he mentioned that
  it occurred after a Plasma update. This doesn't make a great deal of
  sense to me, and I suspect possibly some other component of the
  affected systems happened to get updated at the same t

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

** Changed in: steam (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[John Johansen]

the plasmashell profile is necessary for it to work under unprivileged
user namespace restrictions.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  New
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
member="GetAll" name=":1.45" mask="receive" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_signal"  bus="session" 
path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access
  ```

  Booting with `apparmor=0` set on the kernel command line fixes the
  issue with Element (apptray indicator appears, notifications show up).
  Obviously this is not a solution, but it does isolate AppArmor as
  being at least partially at fault.

  This issue seems to be somewhat similar to
  https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
  however it seems as if Element is trying to hit the right paths and
  interfaces and is still being denied (based on looking at the info in
  
https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go
  and comparing the paths and interfaces there with the paths and
  interfaces shown by snappy-debug.

  I talked about this issue with Erich Eickmeyer and he mentioned that
  it occurred after a Plasma update. This doesn't make a great deal of
  sense to me, and I suspect possibly some other component of the
  affected systems happened to get updated at the same time (perhaps the
  snapd Snap), but it's definitely worth mentioning.

  An example of one of Thunderbird's fallback notifications 

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@valeryan-24 ModuleNotFoundError: No module named 'imp'" says that your
Gpodder issue is not related to this bug. You are missing a dependency
the 'imp' module. If Gpodder is packaged it will need to add that as
part of its install dependencies.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046477] Re: Enable unprivileged user namespace restrictions by default

[John Johansen]

It solves several problems, but not all.

With regard to unprivileged user namespace mediation it should fix
 - mscode
 - nautilis
 - devhelp
 - element-desktop
 - piphany
 - evolution
 - keybase
 - opam


the element-desktop is still known to have some issues, which are on the snapd 
side. It needs to add some interfaces etc.

there is a beta3 coming early next week with additional fixes coming.
The full set won't be finalized until beta3 is rolled this weekend.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046477

Title:
  Enable unprivileged user namespace restrictions by default

Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  As per https://discourse.ubuntu.com/t/spec-unprivileged-user-
  namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626,
  unprivileged user namespace restrictions for Ubuntu 23.10 are to be
  enabled by default via a sysctl.d conf file in apparmor, and for that
  to happen, the restrictions need to be enabled for 24.04

  When the unprivileged user namespace restrictions are enabled, various
  applications within and outside the Ubuntu archive fail to function,
  as they use unprivileged user namespaces as part of their normal
  operation.

  A search of the Ubuntu archive for the 23.10 release was performed
  looking for all applications that make legitimate use of the
  CLONE_NEWUSER argument, the details of which can be seen in
  
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502

  For each package identified in that list, an investigation was made to
  determine if the application actually used this as an unprivileged
  user, and if so which of the binaries within the package were
  affected.

  The full investigation can be seen in
  https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
  private) but is summarised to the following list of Ubuntu source
  packages, as well as some out-of-archive applications that are known
  to use unprivileged user namespaces.

  For each of these binaries, an apparmor profile is required so that
  the binary can be granted use of unprivileged user namespaces - an
  example profile for the ch-run binary within the charliecloud package
  is shown:

  $ cat /etc/apparmor.d/ch-run
  abi ,

  include 

  profile ch-run /usr/bin/ch-run flags=(unconfined) {
userns,

# Site-specific additions and overrides. See local/README for details.
include if exists 
  }

  However, in a few select cases, it has been decided not to ship an apparmor 
profile, since this would effectively allow this mitigation to be bypassed. In 
particular, the unshare and setns binaries within the util-linux package are 
installed on every Ubuntu system, and allow an unprivileged user the ability to 
launch an arbitrary application within a new user namespace. Any malicious 
application then that wished to exploit an unprivileged user namespace to 
conduct an attack on the kernel would simply need to spawn itself via `unshare 
-U` or similar to be granted this permission. Therefore, due to the ubiquitous 
nature of the unshare (and setns) binaries, profiles are not planned to be 
provided for these by default. 
  Similarly, the bwrap binary within bubblewrap is also installed by default on 
Ubuntu Desktop 24.04 and can also be used to launch arbitrary binaries within a 
new user namespace and so no profile is planned to be provided for this either.

  In Bug 2035315 new apparmor profiles were added to the apparmor
  package for various applications which require unprivileged user
  namespaces, using a new unconfined profile mode. They were also added
  in the AppArmor upstream project.

  As well as enabling the sysctl via the sysctl.d conf file, it is
  proposed to add logic into the apparmor.service systemd unit to check
  that the kernel supports the unconfined profile mode and that it is
  enabled - and if not then to force disable the userns restrictions
  sysctl via the following logic:

  userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns)
  unconfined_userns=$([ -f 
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] 
&& cat 
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || 
echo 0)
  if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then
if [ "$unconfined_userns" -eq 0 ]; then
  # userns restrictions rely on unconfined userns to be supported
  echo "disabling unprivileged userns restrictions since unconfined userns 
is not supported / enabled"
  sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
fi
  fi

  This allows a local admin to disable the sysctl via the regular
  sysctl.d conf approach, but to also make sure we don't inadvertently
  enable it when it is not supported by the kernel.

To manage notifications 

[Touch-packages] [Bug 2046477] Re: Enable unprivileged user namespace restrictions by default

[John Johansen]

@pitti: yes this intended. At this stage we are essentially enumerating
the known users of unprivileged user namespaces. We can ship the profile
for you or you are welcome to ship it.

In the future this is going to gradually tighten, some of the
"unconfined" profiles will be developed into real profiles, unconfined
(including these profiles) will get tied into integrity checks, or
require user exceptions in the security center, etc.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046477

Title:
  Enable unprivileged user namespace restrictions by default

Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  As per https://discourse.ubuntu.com/t/spec-unprivileged-user-
  namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626,
  unprivileged user namespace restrictions for Ubuntu 23.10 are to be
  enabled by default via a sysctl.d conf file in apparmor, and for that
  to happen, the restrictions need to be enabled for 24.04

  When the unprivileged user namespace restrictions are enabled, various
  applications within and outside the Ubuntu archive fail to function,
  as they use unprivileged user namespaces as part of their normal
  operation.

  A search of the Ubuntu archive for the 23.10 release was performed
  looking for all applications that make legitimate use of the
  CLONE_NEWUSER argument, the details of which can be seen in
  
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502

  For each package identified in that list, an investigation was made to
  determine if the application actually used this as an unprivileged
  user, and if so which of the binaries within the package were
  affected.

  The full investigation can be seen in
  https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
  private) but is summarised to the following list of Ubuntu source
  packages, as well as some out-of-archive applications that are known
  to use unprivileged user namespaces.

  For each of these binaries, an apparmor profile is required so that
  the binary can be granted use of unprivileged user namespaces - an
  example profile for the ch-run binary within the charliecloud package
  is shown:

  $ cat /etc/apparmor.d/ch-run
  abi ,

  include 

  profile ch-run /usr/bin/ch-run flags=(unconfined) {
userns,

# Site-specific additions and overrides. See local/README for details.
include if exists 
  }

  However, in a few select cases, it has been decided not to ship an apparmor 
profile, since this would effectively allow this mitigation to be bypassed. In 
particular, the unshare and setns binaries within the util-linux package are 
installed on every Ubuntu system, and allow an unprivileged user the ability to 
launch an arbitrary application within a new user namespace. Any malicious 
application then that wished to exploit an unprivileged user namespace to 
conduct an attack on the kernel would simply need to spawn itself via `unshare 
-U` or similar to be granted this permission. Therefore, due to the ubiquitous 
nature of the unshare (and setns) binaries, profiles are not planned to be 
provided for these by default. 
  Similarly, the bwrap binary within bubblewrap is also installed by default on 
Ubuntu Desktop 24.04 and can also be used to launch arbitrary binaries within a 
new user namespace and so no profile is planned to be provided for this either.

  In Bug 2035315 new apparmor profiles were added to the apparmor
  package for various applications which require unprivileged user
  namespaces, using a new unconfined profile mode. They were also added
  in the AppArmor upstream project.

  As well as enabling the sysctl via the sysctl.d conf file, it is
  proposed to add logic into the apparmor.service systemd unit to check
  that the kernel supports the unconfined profile mode and that it is
  enabled - and if not then to force disable the userns restrictions
  sysctl via the following logic:

  userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns)
  unconfined_userns=$([ -f 
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] 
&& cat 
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || 
echo 0)
  if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then
if [ "$unconfined_userns" -eq 0 ]; then
  # userns restrictions rely on unconfined userns to be supported
  echo "disabling unprivileged userns restrictions since unconfined userns 
is not supported / enabled"
  sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
fi
  fi

  This allows a local admin to disable the sysctl via the regular
  sysctl.d conf approach, but to also make sure we don't inadvertently
  enable it when it is not supported by the kernel.

To manage notifications about this bug go to:
https://

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@guyster, @eldmannen+launchpad, @valeryan-24

Firefox dailies now have a work around, by detecting and disabling the
user namespace. The proper fix that should allow firefox to still use
the user namespace for its sandbox will land in Beta3, landing early
next week.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@eeickmeyer geary should be fixed in Beta3

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@sudipmuk loupe should be fixed in Beta3

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

I have tried freecad and unprivileged user namespace restrictions are
not the problem. freecad snap works, freecad ppa does not have a noble
build yet but the mantic build can be made to work.

freecad daily appimage: works
freecad appimage: stable fails with mesa or qt errors depending on how/where it 
is started. Below is a paste of the error
MESA-LOADER: failed to open zink: /usr/lib/dri/zink_dri.so: cannot open shared 
object file: No such file or directory (search paths 
/usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
failed to load driver: zink
MESA-LOADER: failed to open swrast: /usr/lib/dri/swrast_dri.so: cannot open 
shared object file: No such file or directory (search paths 
/usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
failed to load driver: swrast



** Changed in: freecad (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

supercollider will work on current noble. Since it is using QTWebEngine
it has a graceful fallback when capabilities within the user namespace
are denied.

supercollider will have a profile and be fixed in Beta3, so it doesn't
even have to do the fallback.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

** Changed in: loupe (Ubuntu)
 Assignee: (unassigned) => Georgia Garcia (georgiag)

** Changed in: geary (Ubuntu)
 Assignee: (unassigned) => Georgia Garcia (georgiag)

** Changed in: firefox (Ubuntu)
 Assignee: (unassigned) => Georgia Garcia (georgiag)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

I have tested gnome-packagekit and it never trigger unprivileged user
namespace mediation. Can you please provide more information on how you
triggered it.

** Changed in: gnome-packagekit (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Incomplete
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

we will be fixed in Beta3

** Changed in: gnome-packagekit (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Incomplete
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

Will be fixed in Beta3

** Changed in: goldendict-webengine (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Incomplete
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

sorry this won't be fixed in Beta3 that note was for goldendict

** Changed in: gnome-packagekit (Ubuntu)
 Assignee: John Johansen (jjohansen) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Incomplete
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

this will be fixed in Beta

** Changed in: kchmviewer (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

** Changed in: rssguard (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

** Changed in: supercollider (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Incomplete
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

hi @vvaleryan-24,

I have been able to replicate the crash you are seeing but it is not do
to the user namespace restriction. The restrictions logging does not
happen, and I can put it in an unconfined profile and it still doesn't
help. From dmesg I find the following segfault

[79854.520976] gpk-application[19250]: segfault at 8 ip 5930eec2dba8 sp 
7fff471b6b70 error 4 in gpk-application[5930eec24000+d000] likely on CPU 1 
(core 0, socket 1)
[79854.520985] Code: 85 ff 0f 85 72 fd ff ff e9 72 fd ff ff 0f 1f 44 00 00 48 
8b 44 24 30 48 8d 15 37 46 00 00 be 10 00 00 00 48 8d 3d c2 34 00 00 <48> 8b 48 
08 31 c0 e8 6d 79 ff ff c7 43 04 00 00 00 00 48 8b 7b 50

my recommendation is we move debugging over of this to the other bug.


** Changed in: gnome-packagekit (Ubuntu)
   Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@kc2bez:

there are no updated deb packages in the ppa for kiwix.
the kiwix appimage worked for me.
kiwix flatpak worked for me.

I am not sure what you were seeing. But I we are going to need more
information.


** Changed in: kiwix (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@kc2bez: notepadqq should be fixed in beta3

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@kc2bez: pageedit should be fixed in beta3

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@kc2bez: I have been able to verify that privacybrowser is not working.
However it is not due to the apparmor user namespace restrictions.

I get the following segfault out of dmesg
[ 1591.466016] privacybrowser[7743]: segfault at 8 ip 70bb4dd11ccc sp 
7ffd5c6587e0 error 4 in libQt5Core.so.5.15.12[70bb4da8e000+335000] likely 
on CPU 0 (core 0, socket 0)
[ 1591.466026] Code: ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 55 
48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 98 00 00 00 48 89 55 80 <48> 8b 5f 
08 89 b5 7c ff ff ff 64 48 8b 04 25 28 00 00 00 48 89 45


I recommend opining a separate bug to track the issue.


** Changed in: privacybrowser (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@kc2bez: qmapshack should be fixed in beta3

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@arraybolt3: qutebrowser should be fixed in beta3


** Changed in: qutebrowser (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

** Changed in: qmapshack (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

** Changed in: notepadqq (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

** Changed in: pageedit (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@ajg-charlbury: yes, firefox we are well aware of the problem, the
firefox profile has been tweaked for beta3 (landing this week) so that
it should work with the new deb.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@ajg-charlbury: no apparmor beta3 has not landed in proposed yet, we are
working on the upload now. firefox separately have added a bug fix that
will detect when the user namespace/capabilities are denied and fallback
without crashing but it disables the full sandbox.

the apparmor-beta3 fix should enable firefox to function with the full
sandbox.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8

[John Johansen]

** Changed in: apparmor (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2058866

Title:
  proposed-migration for cups-browsed 2.0.0-0ubuntu8

Status in apparmor package in Ubuntu:
  New
Status in cups-browsed package in Ubuntu:
  New

Bug description:
  cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected
  via an autopkgtest), early enough that LD_DEBUG=all gives no output.
  A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the
  executable ran, so 8 was uploaded to try to fix this.  But the
  executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups-
  browsed and segfaults when invoked as /usr/sbin/cups-browsed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8

[John Johansen]

Do we know if there is a difference in the kernel between the runs?

The 2.0.0.0~0ubuntu3 autopackage run log I was pointed at was on a
  Linux 5.4.0-170-generic #188-Ubuntu

Do we know what kernel that 2.0.0-0ubuntu7 is failing on? There was a
change to when security checks were made in on the exec path, this
particular denial makes me wonder if we are seeing an artifact of that
here.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2058866

Title:
  proposed-migration for cups-browsed 2.0.0-0ubuntu8

Status in apparmor package in Ubuntu:
  New
Status in cups-browsed package in Ubuntu:
  New

Bug description:
  cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected
  via an autopkgtest), early enough that LD_DEBUG=all gives no output.
  A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the
  executable ran, so 8 was uploaded to try to fix this.  But the
  executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups-
  browsed and segfaults when invoked as /usr/sbin/cups-browsed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8

[John Johansen]

So what I think is going on from a first pass look at this is that

We are seeing a change in kernel behavior around exec. The 6.8 has a
known change here, that doesn't normally trigger because unconfined is
delegating access into the profile. However in the lxd case, unconfined
can is not delegating access it the profile needs access to the
application.

the accompanying patch should fix the issue, and does not actually grant
anymore permission that was already required, it was just being
delegated in by unconfined.


** Patch added: "apparmor-add-execmap.patch"
   
https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5758964/+files/apparmor-add-execmap.patch

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2058866

Title:
  proposed-migration for cups-browsed 2.0.0-0ubuntu8

Status in apparmor package in Ubuntu:
  New
Status in cups-browsed package in Ubuntu:
  New

Bug description:
  cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected
  via an autopkgtest), early enough that LD_DEBUG=all gives no output.
  A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the
  executable ran, so 8 was uploaded to try to fix this.  But the
  executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups-
  browsed and segfaults when invoked as /usr/sbin/cups-browsed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@coeur-noir:

Are you installing firefox to /opt/ as recommended or using it local in
your user account?


as for bwarp, maybe it is known to be problematic. It is allowed to run and to 
create a user namespace but it is denied all capabilities within the namespace.

Can you run
  sudo dmesg | grep apparmor

and add the information here.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

We have an update of the firefox profile coming that supports the
/opt/firefox/firefox location used as the default install for the
firefox downloaded directly from mozilla.org

If you are running firefox out of your home directory, that will not be
directly supported and you will need to chose to do one of the following
to fix the issue.

1. The recommended way is updating the firefox profile in
/etc/apparmor.d/firefox by adding the location you have firefox
installed, and then reloading the profile with sudo apparmor_parser -r
/etc/apparmor.d/firefox.

2. You can disable user namespaces, this will keep firefox from trying
to use them as part of ts sandbox https://lwn.net/Articles/673597/

3. the least recommended way to fix this is you can disable the finer
grained user namespace restrictions as outlined in
https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-
namespaces

** Changed in: qmapshack (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: qutebrowser (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: rssguard (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: supercollider (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: geary (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: goldendict-webengine (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: kchmviewer (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: loupe (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: notepadqq (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: pageedit (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.

[Touch-packages] [Bug 2060100] [NEW] denials from sshd in noble

[John Johansen]

Public bug reported:

2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400
audit(1711512628.920:155): apparmor="DENIED" operation="bind"
class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix"
sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind"
addr="@63cf34db7fbab75f/bus/sshd/system"

2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107
audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295
ses=4294967295 subj=unconfined msg='apparmor="DENIED"
operation="dbus_method_call"  bus="system"
path="/org/freedesktop/login1"
interface="org.freedesktop.login1.Manager"
member="CreateSessionWithPIDFD" mask="send"
name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd"
peer_pid=688 peer_label="unconfined"

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: Confirmed

** Affects: apparmor (Ubuntu Noble)
 Importance: Undecided
 Status: Confirmed

** Changed in: apparmor (Ubuntu)
   Status: New => Confirmed

** Also affects: apparmor (Ubuntu Noble)
   Importance: Undecided
   Status: Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060100

Title:
  denials from sshd in noble

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Noble:
  Confirmed

Bug description:
  2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit:
  type=1400 audit(1711512628.920:155): apparmor="DENIED"
  operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290
  comm="sshd" family="unix" sock_type="stream" protocol=0
  requested_mask="bind" denied_mask="bind"
  addr="@63cf34db7fbab75f/bus/sshd/system"

  2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit:
  type=1107 audit(1711514469.771:333907): pid=703 uid=101
  auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED"
  operation="dbus_method_call"  bus="system"
  path="/org/freedesktop/login1"
  interface="org.freedesktop.login1.Manager"
  member="CreateSessionWithPIDFD" mask="send"
  name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd"
  peer_pid=688 peer_label="unconfined"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2060100] Re: denials from sshd in noble

[John Johansen]

Fixed by MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1196

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060100

Title:
  denials from sshd in noble

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Noble:
  Confirmed

Bug description:
  2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit:
  type=1400 audit(1711512628.920:155): apparmor="DENIED"
  operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290
  comm="sshd" family="unix" sock_type="stream" protocol=0
  requested_mask="bind" denied_mask="bind"
  addr="@63cf34db7fbab75f/bus/sshd/system"

  2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit:
  type=1107 audit(1711514469.771:333907): pid=703 uid=101
  auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED"
  operation="dbus_method_call"  bus="system"
  path="/org/freedesktop/login1"
  interface="org.freedesktop.login1.Manager"
  member="CreateSessionWithPIDFD" mask="send"
  name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd"
  peer_pid=688 peer_label="unconfined"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1597017] Re: mount rules grant excessive permissions

[John Johansen]

It is in the SRU queue and the current ETA is April 15 to land in the
proposed pocket (archive proposed not security proposed ppa), there is a
caveat that the recent xz backdoor has caused some "fun" on the archive
side and could potentially cause some delays.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1597017

Title:
  mount rules grant excessive permissions

Status in AppArmor:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Focal:
  In Progress
Status in apparmor source package in Jammy:
  In Progress

Bug description:
  SRU Team; the packages for focal-proposed and jammy-proposed are
  intended as security updates prepared by the Ubuntu Security team (and
  have built in a ppa with only the security pockets enabled). However,
  because the fix makes mount rules in apparmor policy be treated more
  restrictively than they were prior to this update, we would like these
  packages to gain more widespread testing.

  Risk of Regression:

  The update for this issue causes the apparmor parser, the tool that
  translates written policy into the enforcement data structures used by
  the kernel, to generate more strict policy for mount rules, like the
  example below. They are not common in apparmor policy generally, but
  can appear in policies written for container managers to restrict
  containers, and thus can potentially break container startup.

  The packages prepared for focal-proposed and jammy-proposed have
  tested with the versions of snapd, lxc, libvirt, and docker in the
  ubuntu archive, but conainter managers outside of the ubunty archive
  may run into issues, hence the need for testing and policy
  adjustments.

  Original Report:

  The rule
    mount options=(rw,make-slave) -> **,

  ends up allowing
    mount -t proc proc /mnt

  which it shouldn't as it should be restricted to commands with a make-
  slave flag

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@arraybolt3: Answer to your question. bwrap requires capabilities within
the user namespace. unshare is a little more forgiving in that what it
requires depends on the options passed but most of the options also
require capabilities within the user namespace.

The potential solution I mention is comment #91 is to define a profile
for bwrap that allows it capabilities within the namespace but does not
allow its children capabilities within the namespace, so that bwrap and
unshare can not just launch an application to by-pass the restriction.
This seems to work well for unshare but there are cases where bwrap is
failing in unexpected ways (which is still being debugged).

At this late stage the plan is to try to get a fix for bwrap in but if
necessary to file an SRU if necessary for the bwrap fix. So yes this is
being worked on and even if the fix isn't present on day one we do plan
to get it fixed.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined
profile, as that allows for an arbitrary by-pass of the restriction.
There is a potential solution in the works that will allow for bwrap and
unshare to function as long as the child task does not require
permissions but at this point there are still some issues with it that
are being debugged.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2060767] Re: Foliate does not run in Ubuntu 24.04 due to apparmor issue

[John Johansen]

The fix has been merged upstream in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1209

it will be in the next release.


** Changed in: apparmor (Ubuntu)
   Status: New => Confirmed

** Changed in: apparmor (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060767

Title:
  Foliate does not run in Ubuntu 24.04 due to apparmor issue

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  When I try to open any epub via Foliate (installed from official Ubuntu 
repositories), it does not run.
  ```
  $ foliate Alcott, Louisa May - Little Women.epub

  (com.github.johnfactotum.Foliate:2289): Gtk-WARNING **: 01:51:13.769: Unknown 
key gtk-modules in /home/archisman/.config/gtk-4.0/settings.ini
  bwrap: setting up uid map: Permission denied

  ** (com.github.johnfactotum.Foliate:2289): ERROR **: 01:51:14.283: Failed to 
fully launch dbus-proxy: Child process exited with code 1
  Trace/breakpoint trap
  ```

  A workaround
  (https://github.com/johnfactotum/foliate/issues/1271#issuecomment-2016575770)
  is to create the `/etc/apparmor.d/foliate` file with the appropriate
  content described in that link.

  A similar bug was reported for VSCode
  (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060767/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue

[John Johansen]

There are vague plans, yes. The time line of it has not been scoped, but
it would be something akin to what happens on macos when you try to run
a downloaded application for the first time and you have to go into
their security config to allow it.

The application will still be "confined" but it may not get its own
individual profile and share one with others the user has downloaded.
The unconfined profile's will also get developed into full profiles. The
plan is that unconfined profiles won't be a standard thing but an
exception.

Another thing going to happen in the next upload is bwrap gets its own
profile. Applications using bwrap might work through the bwrap profile.
There will still be cases where they will need their own profile, but
the bwrap profile will cover several cases that don't work today.
Applications that have already received an unconfined profile will
continue to work that way.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810

Title:
  Wike does not run in Ubuntu 24.04 due to apparmor issue

Status in apparmor package in Ubuntu:
  New

Bug description:
  Wike (deb package/compiled version) does not run in Ubuntu 24.04
  possibly due to some interference between apparmor and webkit.

  ```
  $ wike

  (process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in 
/home/archisman/.config/gtk-4.0/settings.ini
  bwrap: setting up uid map: Permission denied

  ** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy: 
Child process exited with code 1
  Trace/breakpoint trap
  ```

  A workaround is to create the file `/etc/apparmor.d/wike` with the following 
contents:
  ```
  # This profile allows everything and only exists to give the
  # application a name instead of having the label "unconfined"

  abi ,
  include 

  profile wike /usr/bin/wike flags=(unconfined) {
userns,

# Site-specific additions and overrides. See local/README for details.
include if exists 
  }
  ```
  Then run `sudo systemctl restart apparmor.service`


  This is also reported in GitHub for Wike
  https://github.com/hugolabe/Wike/issues/181

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2060810] Re: Wike does not run in Ubuntu 24.04 due to apparmor issue

[John Johansen]

More applications will be getting confinement, on an individual level I
don't think it will be everything from debs. In this case its because it
uses unprivileged user namespaces. Which is now being restricted and
treated as a semi-privileged because it gives access to several
privileged kernel interfaces. Those privilege kernel interfaces should
be in theory safe, but the reality is that they aren't. Unprivileged
user namespaces are the first step in almost every kernel exploit chain
for the last 7 or so years.

In pwn2own last year 4 of the 5 exploits used unprivileged user
namespaces. This year all 4 did, however if you turn the restriction on
(present in 23.10 but not enabled by default) everyone one of the
exploits are blocked. The current step is far from perfect, but we are
working on improving it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060810

Title:
  Wike does not run in Ubuntu 24.04 due to apparmor issue

Status in apparmor package in Ubuntu:
  New

Bug description:
  Wike (deb package/compiled version) does not run in Ubuntu 24.04
  possibly due to some interference between apparmor and webkit.

  ```
  $ wike

  (process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in 
/home/archisman/.config/gtk-4.0/settings.ini
  bwrap: setting up uid map: Permission denied

  ** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy: 
Child process exited with code 1
  Trace/breakpoint trap
  ```

  A workaround is to create the file `/etc/apparmor.d/wike` with the following 
contents:
  ```
  # This profile allows everything and only exists to give the
  # application a name instead of having the label "unconfined"

  abi ,
  include 

  profile wike /usr/bin/wike flags=(unconfined) {
userns,

# Site-specific additions and overrides. See local/README for details.
include if exists 
  }
  ```
  Then run `sudo systemctl restart apparmor.service`


  This is also reported in GitHub for Wike
  https://github.com/hugolabe/Wike/issues/181

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3

[John Johansen]

This is likely a dup of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2061869

Title:
  Snaps unable to connect to network under linux-lowlatency
  6.8.0-25.25.3

Status in apparmor package in Ubuntu:
  New
Status in linux-lowlatency package in Ubuntu:
  New

Bug description:
  After upgrading to linux-lowlatency 6.8.0-25, suddenly snaps can no
  longer connect to network. I tried downgrading snapd from edge, still
  no connectivity. Only solution was to downgrade back to 6.8.0-7. I'll
  also add apparmor in case this is an apparmor issue as well.

  Marking as "critical" priority as this affects all installs of Ubuntu
  Studio and affects Firefox and Thunderbird.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3

[John Johansen]

the kernel team is already rolling kernels with the fix for 2061851 but
it is also building in https://launchpad.net/~apparmor-
dev/+archive/ubuntu/apparmor-devel ppa

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2061869

Title:
  Snaps unable to connect to network under linux-lowlatency
  6.8.0-25.25.3

Status in apparmor package in Ubuntu:
  New
Status in linux-lowlatency package in Ubuntu:
  New

Bug description:
  After upgrading to linux-lowlatency 6.8.0-25, suddenly snaps can no
  longer connect to network. I tried downgrading snapd from edge, still
  no connectivity. Only solution was to downgrade back to 6.8.0-7. I'll
  also add apparmor in case this is an apparmor issue as well.

  Marking as "critical" priority as this affects all installs of Ubuntu
  Studio and affects Firefox and Thunderbird.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2062441] Re: Apparmor breaks Joplin Desktop

[John Johansen]

unfortunately Joplin is only shipped as an appimage for Linux. Which
means we can not ship a profile for it by default that will allow it to
use capabilities within the unprivileged user namespace that the
electron embedded browser is attempting to use.

This means that the user is required to intervene to enable an electron
based appimage so that it can be run. Unfortunately for 24.04 this means
some manual command line based intervention, instead of using a GUI like
on MacOS when a user needs to enable an application downloaded from the
internet.

This change is deliberate to increase the security of Ubuntu systems,
and while we will work on improving the user experience the requirement
to have the user approve applications that are using privileged kernel
interfaces there is no plan to revert this change. You can read more
about this in the release notes https://discourse.ubuntu.com/t/noble-
numbat-release-notes/39890


If you look in the kernel logs, (or dmesg) you will find an message an apparmor 
message similar to below showing what is causing your issue.

```
$ sudo dmesg | grep "apparmor=\"AUDIT"

[   85.468352] audit: type=1400 audit(1713509122.843:224): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=3058 comm="@joplinapp-desk" 
requested="userns_create" target="unprivileged_userns"
```
and
```
$ sudo dmesg | grep DENIED

[   85.469966] audit: type=1400 audit(1713509122.847:225): apparmor="DENIED" 
operation="capable" class="cap" profile="unprivileged_userns" pid=3065 
comm="@joplinapp-desk" capability=21  capname="sys_admin"
```

Unfortunately unprivileged user namespaces are using privileged kernel
interfaces (above protected by capabiity sys_admin) that have now been
restricted to known applications because they have been used in a lot of
exploit chains.

you can add a profile for the application by copying the profile from
below into /etc/apparmor.d/ and then updating by replacing
```/home/jj/Downloads/Joplin-2.14.20.AppImage``` with the location you
are running your joplin appimage from.

```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi ,
include 

profile joplin /home/jj/Downloads/Joplin-2.14.20.AppImage  flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists 
}
```

Once that is done you can do
```
$ sudo apparmor_parser -r /etc/apparmor.d/joplin
```

that will allow you to run joplin without having to reboot. Having the
jplin profile in /etc/apparmor.d/ will ensure it is reloaded if you
reboot.


** Changed in: apparmor (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2062441

Title:
  Apparmor breaks Joplin Desktop

Status in apparmor package in Ubuntu:
  Won't Fix

Bug description:
  Joplin is a FOSS note taking app based on electron, that does not work
  in Ubuntu 24.04 due to apparmor preventing it from running.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2062441/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2057943] Re: Can't disable or modify snap package apparmor rules

[John Johansen]

I will note that current snap behavior is by design. Not saying that
they couldn't make this easier but the snap side is functioning the way
it was desiged.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2057943

Title:
  Can't disable or modify snap package apparmor rules

Status in apparmor package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  New

Bug description:
  On Ubuntu 20.04 (and probably 22.04 and greater), it is impossible to
  disable snap chromium apparmor rules:

  root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure
  Can't find chromium.hook.configure in the system path list. If the name of 
the application
  is correct, please run 'which snap.chromium.hook.configure' as a user with 
correct PATH
  environment set up in order to find the fully-qualified path and
  use the full path as parameter.

  root@{HOSTNAME}:~# aa-complain snap.chromium.chromedriver -d
  /var/lib/snapd/apparmor/profiles

  ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
  root@{HOSTNAME}:~# aa-complain snap.chromium.chromium -d 
/var/lib/snapd/apparmor/profiles

  ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
  root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure -d 
/var/lib/snapd/apparmor/profiles

  ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global
  not found

  It seems like no one has an answer on how these overly restricted
  rules can be disabled:

  
https://askubuntu.com/questions/1267980/how-to-disable-apparmor-for-chromium-snap-ubuntu-20-04
  https://ubuntuforums.org/showthread.php?t=2410550
  https://ubuntuforums.org/showthread.php?t=2449022
  https://answers.launchpad.net/ubuntu/+source/apparmor/+question/701036

  So I just got rid of apparmor which doesn't seem like the solution I
  was after, but it works great now:

  sudo systemctl stop apparmor 
  sudo systemctl disable apparmor

  Please give us a way to modify (and keep the rules permanently
  modified even after snap updates) snap apparmor rules.

  Thank you!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2039294] Re: apparmor docker

[John Johansen]

To make this generic so that it will work on older and newer hosts we
should probably change the peer expression to

  signal (receive) peer={runc,unconfined},

or possibly, define an @{runc} variable in the preamble and use that.
This really only is advantageous, in that it shows semantic intent, if
if using the value of unconfined, or if @[runc} is used multiple times
within the profile.

@{runc}={peer,unconfined}


   signal (receive) peer=@{runc},

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039294

Title:
  apparmor docker

Status in docker:
  New
Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:Ubuntu 23.10
  Release:23.10
  Codename:   mantic

  
  Docker version 24.0.5, build 24.0.5-0ubuntu1

  
  Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all 
signals?) doesn't reach the target process. Works when apparmor is uninstalled.

  
  [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172626 
comm="runc" requested_mask="receive" denied_mask="receive" signal=term 
peer="/usr/sbin/runc"
  [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172633 
comm="runc" requested_mask="receive" denied_mask="receive" signal=kill 
peer="/usr/sbin/runc"

To manage notifications about this bug go to:
https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056627] Re: PHPStorm crashes when opening a project

[John Johansen]

Its not just that app images don't have a default path, we can handle
that as well. It is that user namespaces have become a privileged
operation, and the user must take some privileged action to allow
applications to use them.

That can be any of
- moving the application into a well known privileged location that has a 
profile already associated with it.
- creating a profile for the application where it is installed in their 
unprivileged location. This is currently allowed but problematic in that 
unprivileged code code potentially write to it and we are not currently 
restricting unprivileged applications from writing these locations. But that 
will come
- tagging the application with the correct security label.

The important part is the user must take a privileged action to allow
applications that are using user namespaces to gain privilege. Note,
applications that use user namespaces that don't require privilege are
allowed, its only applications that require privilege within the user
namespace.

Unfortunately appimages that use use namespaces need the user to take
one of the above privileged actions. And unfortunately Ubuntu can not
"fix" this without disabling the protection. There are plans to improve
the user experience and make this easier for users to do, but atm it is
a manual process.

The instructions provided by Seth will enable you to get the appimage
running.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056627

Title:
  PHPStorm crashes when opening a project

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Filing mostly in case anyone else hits this and is looking for
  workarounds:

  Since the Update to 24.04 PHPStorm crashes on open for me. I think
  when it tries to preview a markdown file, like a README.md which is
  shown when opening a project.

  ```
  [0309/094602.913394:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox 
helper binary was found, but is not configured correctly. Rather than run 
without sandboxing I'm aborting now. You need to make sure that 
/home/user/bin/phpstorm/jbr/lib/chrome-sandbox is owned by root and has mode 
4755.
  ```

  Workaround 1 (wont persist reboots, needs root):

  sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

  Workaround 2 (persists and doesn't need root):

  thanks to https://youtrack.jetbrains.com/issue/IDEA-313202/IDE-
  crashes-due-to-chrome-sandbox-is-owned-by-root-and-has-mode-error-
  when-IDE-is-launching-the-JCEF-in-a-
  sandbox#focus=Comments-27-7059083.0-0

  * Run `/bin/phpstorm.sh dontReopenProjects` (to avoid it 
crashing on start)
  * ctrl+shift+a
  * type "Registry..." and select it
  * disable the "ide.browser.jcef.sandbox.enable" option
  * Restart phpstorm

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056627/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

The Wike fix is coming in the next SRU.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in wike package in Ubuntu:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues,
1.19.16 installs fine and runs, but in a degraded sandbox mode. So
adding a profile for it would be beneficial

The appimage version of Belena Etcher unfortunately fails to run. We can not 
provide a default profile for the appimage unless it the user moves it to the 
default deb install location (ie. installs it to the system, instead of running 
it from their home dir). Users are free to add their own confinement profiles 
for appimages. Directions are in 
https://discourse.ubuntu.com/t/noble-numbat-release-
notes/39890#unprivileged-user-namespace-restrictions-15

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in wike package in Ubuntu:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1784499] Re: AppArmor treats regular NFS file access as network op

[John Johansen]

@rikka0w0 are you willing to test a kernel patch for this issue?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1784499

Title:
  AppArmor treats regular NFS file access as network op

Status in AppArmor:
  Confirmed
Status in snapd:
  Invalid
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  I am using AppArmor 2.12-4ubuntu5 on Ubuntu 18.04/bionic.

  I have the usr.bin.man profile enforced, and home directories in NFS.

  The log excerpt copied below is the result of a single invocation of
  "man ls" by an unprivileged user. (The program did display the man
  page correctly to the user.)

  It does not seem appropriate for AppArmor to report the man(1) program
  as having attempted to contact the NFS server directly, when it only
  tried to access an NFS-served file in the normal way. "man" is not a
  network-aware program and the log below misleadingly implies
  otherwise.

  

  Jul 30 17:38:35 darkstar kernel: [69963.052243] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.052274] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.052297] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.052314] kauditd_printk_skb: 34 
callbacks suppressed
  Jul 30 17:38:35 darkstar kernel: [69963.052316] audit: type=1400 
audit(1532986715.854:214): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 
faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.052323] audit: type=1400 
audit(1532986715.854:215): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 
faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.052327] audit: type=1400 
audit(1532986715.854:216): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 
faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.052339] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.052363] audit: type=1400 
audit(1532986715.854:217): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 
faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.052364] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.052369] audit: type=1400 
audit(1532986715.854:218): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 
faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.052386] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.052450] audit: type=1400 
audit(1532986715.854:219): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 
faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.059570] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.059640] audit: type=1400 
audit(1532986715.862:220): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 
faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.061907] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.061925] audit: type=1400 
audit(1532986715.862:221): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 
faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.062006] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.062014] audit: type=1400 
audit(1532986715.862:222): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 
faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 
requested_mask="send" denied_mask="send"
  Jul 30 17:38:35 darkstar kernel: [69963.066404] nfs: RPC call returned error 
13
  Jul 30 17:38:35 darkstar kernel: [69963.066434] audit: type=1400 
audit(1532986715.866:223): apparmor="DENIED" operation="sendmsg" 
profile="/usr/bin/man" pid=2788 comm="man" laddr=X.X.X.

[Touch-packages] [Bug 1948752] Re: apparmor is logging too many messages

[John Johansen]

with in the profile block, eg.

   profile redshift {

or something similar, add the following rules

   dbus send bus="system" path="/org/freedesktop/DBus"
interface="org.freedesktop.DBus"
member="{GetNameOwner,StartServiceByName,AddMatch}",

   dbus send bus="system" path="/org/freedesktop/GeoClue2/Manager"
interface="org.freedesktop.DBus.Properties" member="GetAll",

   dbus send bus="system" path="/org/freedesktop/GeoClue2/Manager"
interface="org.freedesktop.GeoClue2.Manager" member="GetClient",


I think I got everything that is needed but its possible I missed a couple 
cases, also there may be other rules needed not covered by the above logs

after adding the above rules you need to reload the profile.

  systemctl reload apparmor

should do it

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1948752

Title:
  apparmor is logging too many messages

Status in Redshift:
  New
Status in apparmor package in Ubuntu:
  New

Bug description:
  Unfortunately, this bug does not seem to be fixed yet.
  My syslog is flooded with ALLOWED messages regarding redshift.

  My system is a Kubuntu 21.04.
  AppArmor is V. 3.0.0-0ubuntu7.1

  Attached you'll find an excerpt from /var/log/syslog for the last 5
  minutes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/redshift/+bug/1948752/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1948752] Re: apparmor is logging too many messages

[John Johansen]

Ah! The rule

```
 audit dbus bus=system,
```

is the problem. It is tagging every dbus match to be audited. You can
drop that rule entirely, and just add dbus allow rules as needed, like
the first 3 rules. Or you could allow all dbus system bus accesses by
dropping the ```audit``` keyword, in which case you could also drop the
first 3 dbus rules.

Unfortunately you can't do what this rule is trying to do atm, which
allow dbus accesses but log the ones we don't know about, while
enforcing the other rules. You can get something some what close by
putting the profile into complain mode, which will log a message for
every unknown access type, but it will also allow all accesses.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1948752

Title:
  apparmor is logging too many messages

Status in Redshift:
  New
Status in apparmor package in Ubuntu:
  New

Bug description:
  Unfortunately, this bug does not seem to be fixed yet.
  My syslog is flooded with ALLOWED messages regarding redshift.

  My system is a Kubuntu 21.04.
  AppArmor is V. 3.0.0-0ubuntu7.1

  Attached you'll find an excerpt from /var/log/syslog for the last 5
  minutes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/redshift/+bug/1948752/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2063976] Re: Apparmor breaking nsjail in AOSP

[John Johansen]

Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the
behavior of unprivileged user namespace mediation.

With the unprivileged_userns profile loaded, when a user namespace is
created by an unprivileged unconfined application the task will be
transitioned into the unprivileged_userns profile. The
unprivileged_userns profile will then deny privileged operations
capability, mount etc.

Without the unprivileged_userns profile loaded, the creation of the user
namespace will be denied.

Through experimentation we have learned that many applications behave
better (handle the errors better, eg. qtwebkit will handle the error and
fallback to using a sandbox without usernamespaces while without the
profile it crashes) with the unprivileged_userns loaded. So that has
become the default behavior.

You can experiment with changing the behavior by manually unloading the
unprivileged_userns profile using

  sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns

nsjail will likely require a profile to work, please see
https://discourse.ubuntu.com/t/noble-numbat-release-
notes/39890#unprivileged-user-namespace-restrictions-15

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2063976

Title:
  Apparmor breaking nsjail in AOSP

Status in apparmor package in Ubuntu:
  New

Bug description:
  Build sandboxing in AOSP is broken after updating to 24.04 with the
  following denials:

  [  182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create" 
target="unprivileged_userns"
  [  182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED" 
operation="capable" class="cap" profile="unprivileged_userns" pid=8515 
comm="nsjail" capability=6  capname="setgid"
  [  182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED" 
operation="mount" class="mount" info="failed mntpnt match" error=-13 
profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw, 
rprivate"

  This seems to come from the following change earlier this year:
  
https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2063976] Re: Apparmor breaking nsjail in AOSP

[John Johansen]

running privileged applications out of home is dirty. But it is the
situation we are in with user namespaces and app images as well. Ubuntu
will not ship a profile for a privileged executable in the users home or
a writable location of an unprivileged user. As this can be leveraged to
by-pass the restriction, or it requires us to expand user mediation in
such a way that user writable locations with profiles defined become
privileged. Atm we are not adding addition restriction to the user. This
allows the user to define a profile that allows by-passing the
restriction. A user opting to create a profile in a user writable
location is less dangerous as the location becomes non-standard so it
becomes harder to exploit. It also requires the user to take a
deliberate privileged action to add the profile.

Generally for the nsjail profile an attachment like

  @{HOME}/android-*/prebuilts/build-tools/linux-x86/bin/nsjail

is slightly better, but still not great. Atm it is very close to the
same, but there are improvements coming that will tighten @{HOME} to a
user specific kernel variable which will be better than /**.

The other way to handle this would be setting the security xattr and
using that as part of the attachment.

```
  sudo setfattr -n security.apparmor -v nsjail
```

and define the profile as something like (you can make the path more
specific if you want).

```
  profile nsjail /**/nsjail xattrs=(security.apparmor="nsjail") 
flags=(unconfined) {
```

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2063976

Title:
  Apparmor breaking nsjail in AOSP

Status in apparmor package in Ubuntu:
  New

Bug description:
  Build sandboxing in AOSP is broken after updating to 24.04 with the
  following denials:

  [  182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create" 
target="unprivileged_userns"
  [  182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED" 
operation="capable" class="cap" profile="unprivileged_userns" pid=8515 
comm="nsjail" capability=6  capname="setgid"
  [  182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED" 
operation="mount" class="mount" info="failed mntpnt match" error=-13 
profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw, 
rprivate"

  This seems to come from the following change earlier this year:
  
https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2063976] Re: Apparmor breaking nsjail in AOSP

[John Johansen]

> To clarify, this is not something that can be solved upstream in
apparmor, and a profile can't be accepted due to the nature of the path
location?

correct, if it is a unprivileged user writable location it can't be
fixed entirely upstream. It is possible for us to ship a profile that is
disabled in some way but that takes a privileged user action to enable.
Eg. we could ship a profile using the xattrs attachment from above, then
the user would be responsible for setting the xattr with setfattr.

packaging nsjail is an option for Ubuntu but like you said it wouldn't
directly address previous versions and AOSP probably wouldn't like it.
With that said this isn't going to be an Ubuntu only restriction, the
security community in general is looking at different ways of
restricting unprivileged user namespaces. SElinux has picked up some
ability to mediate them, but isn't really applying it in policy yet. The
OSS email list (oss-secur...@lists.openwall.com) has been discussing
other options as well. The number of exploit chains associated with them
has forced us to start locking them down. The AppArmor solution will be
available to other distros as well, it already available upstream in the
kernel and apparmor 4.0.

AppArmor side there is work on aa-notify that we are looking at SRUing.
That will help desktop users if they have it installed. Where they can
get a notification that will take them to a simple gui that will allow
them to click enable (with a password) instead of having to know the
details underneath. It won't be integrated into the security center or
pretty. But a little better than the current situation for the user.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2063976

Title:
  Apparmor breaking nsjail in AOSP

Status in apparmor package in Ubuntu:
  New

Bug description:
  Build sandboxing in AOSP is broken after updating to 24.04 with the
  following denials:

  [  182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create" 
target="unprivileged_userns"
  [  182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED" 
operation="capable" class="cap" profile="unprivileged_userns" pid=8515 
comm="nsjail" capability=6  capname="setgid"
  [  182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED" 
operation="mount" class="mount" info="failed mntpnt match" error=-13 
profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw, 
rprivate"

  This seems to come from the following change earlier this year:
  
https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@u-dal:

This sounds like the apparmor policy is not being loaded can you please
provide the output of

```
sudo aa-status
```

and

```
sudo systemctl status apparmor
```

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  New
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in wike package in Ubuntu:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@u-dal:
are you running in a live cd environment? Something odd is happening on your 
system, with some profiles loaded and systemctl reporting 
ConditionPathExists=!/rofs/etc/apparmor.d

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  New
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in wike package in Ubuntu:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

@u-dal:

the problem with firefox (it has a snap profile and is allowed access to
user namespaces) is different than with chrome (no profile loaded), but
still might be apparmor related. Can you look in dmesg for apparmor
denials

```
  sudo dmesg | grep DENIED
```

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  New
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in wike package in Ubuntu:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2064363] [NEW] thunderbird snap on live systems "already running" but not responsive

[John Johansen]

Public bug reported:

Moving this here from
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

snap policy on an overlay system is preventing thunderbird from running.
This is related to the snapcraft form report
https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
but-is-not-responding-message/39990

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

** Attachment added: "aa-status and systemctl output"
   
https://bugs.launchpad.net/bugs/2064363/+attachment/5773407/+files/comment-101.txt

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363

Title:
  thunderbird snap on live systems "already running" but not responsive

Status in apparmor package in Ubuntu:
  New

Bug description:
  Moving this here from
  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

  snap policy on an overlay system is preventing thunderbird from
  running. This is related to the snapcraft form report
  https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
  but-is-not-responding-message/39990

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive

[John Johansen]

** Attachment added: "dmesg denial output"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773409/+files/comment-106.txt

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363

Title:
  thunderbird snap on live systems "already running" but not responsive

Status in apparmor package in Ubuntu:
  New

Bug description:
  Moving this here from
  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

  snap policy on an overlay system is preventing thunderbird from
  running. This is related to the snapcraft form report
  https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
  but-is-not-responding-message/39990

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive

[John Johansen]

** Attachment added: "dmesg denial output"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+attachment/5773408/+files/comment-106.txt

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363

Title:
  thunderbird snap on live systems "already running" but not responsive

Status in apparmor package in Ubuntu:
  New

Bug description:
  Moving this here from
  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

  snap policy on an overlay system is preventing thunderbird from
  running. This is related to the snapcraft form report
  https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
  but-is-not-responding-message/39990

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive

[John Johansen]

@u-dal:

can you attach the overlay mount information.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363

Title:
  thunderbird snap on live systems "already running" but not responsive

Status in apparmor package in Ubuntu:
  New

Bug description:
  Moving this here from
  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

  snap policy on an overlay system is preventing thunderbird from
  running. This is related to the snapcraft form report
  https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
  but-is-not-responding-message/39990

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

For the thunderbird issue I have created
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  New
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in wike package in Ubuntu:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive

[John Johansen]

So my supposition on the overlay looks to be incorrect. Would you being
willing to attach your full mount information?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363

Title:
  thunderbird snap on live systems "already running" but not responsive

Status in apparmor package in Ubuntu:
  New

Bug description:
  Moving this here from
  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

  snap policy on an overlay system is preventing thunderbird from
  running. This is related to the snapcraft form report
  https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
  but-is-not-responding-message/39990

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2064363] Re: thunderbird snap on live systems "already running" but not responsive

[John Johansen]

@u-dal:

thankyou, though I have to say I am at a loss as to why the snap version
of thunderbird is trying to access

```
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/.parentlock
/media/lubuntu/drive/hq/email/thunderbird/awesomenough/lock
```

what kind of configuration have you done? I see you are copying data
from /media/lubuntu/drive/startup/ into the snap, is something in one of
these a symlink into /media/lubuntu/drive/hq/email/thunderbird?

As for why this used to work and doesn't now is thunderbird unless you
opted into it (enabled the profile) was not confined. The snap
thunderbird is confined and defines down to the file what thunderbird
has access to. Snaps however are not under normal apparmor control, and
make it some what hard for the user to extend what is allowed.

There are a few things that can be done to work around the issue but I
am still trying to understand why thunderbird is trying to access that
location.

things we can do to work around this issue immediately, so you can have
access to your mail

1. enable snapd prompting in the new security center (its a flutter
based application, I am not sure if lubuntu is shipping it by default).
If this is a location that falls under what is allowed to prompt (I am
not sure it is), snapd we prompt you about allowing the access, store
your response and it will be allowed in the future.

2. reinstall thunderbird snap in dev mode

3. manually update the snap profile. There will have to be script that
recopies, and reloads, as snap can and will regenerate and reload when
it refreshes.

4. uninstall the thunderbird snap and install thunderbird as a deb via
the mozilla ppa. You can opt into an apparmor profile if you want, in
this case you get full control over the profile.

5. disable apparmor in grub.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064363

Title:
  thunderbird snap on live systems "already running" but not responsive

Status in apparmor package in Ubuntu:
  New

Bug description:
  Moving this here from
  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

  snap policy on an overlay system is preventing thunderbird from
  running. This is related to the snapcraft form report
  https://forum.snapcraft.io/t/unexplained-thunderbird-already-running-
  but-is-not-responding-message/39990

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056555] Re: Allow bitbake to create user namespace

[John Johansen]

@richard-purdie-1:

I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.

Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the user can easily
allow applications like bitbake to function. The plan is to SRU said
functionality back into 24.04, it is just taking longer than was planned
for.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056555

Title:
  Allow bitbake to create user namespace

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Occurs since an update around March 2 Ubuntu 24.04.

  Bitbake is broken due to file permission problem.

  Traceback (most recent call last):
File "/home/hains/openpli-oe-core/bitbake/bin/bitbake-worker", line 268, in 
child
  bb.utils.disable_network(uid, gid)
File "/home/hains/openpli-oe-core/bitbake/lib/bb/utils.py", line 1653, in 
disable_network
  with open("/proc/self/uid_map", "w") as f:
  PermissionError: [Errno 1] Operation not permitted

  Test code

  with open("/proc/self/uid_map", "w") as f:
f.write("%s %s 1" % (1000, 1000))

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: dash 0.5.12-6ubuntu4
  ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4
  Uname: Linux 6.8.0-11-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.28.0-0ubuntu1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Mar  8 14:34:08 2024
  InstallationDate: Installed on 2023-03-24 (350 days ago)
  InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
  SourcePackage: dash
  UpgradeStatus: Upgraded to noble on 2024-01-10 (58 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056555] Re: Allow bitbake to create user namespace

[John Johansen]

@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.

Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The child that unshare will spawn will
not be able to do anything that requires capabilities, as what is being
denied above.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056555

Title:
  Allow bitbake to create user namespace

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Occurs since an update around March 2 Ubuntu 24.04.

  Bitbake is broken due to file permission problem.

  Traceback (most recent call last):
File "/home/hains/openpli-oe-core/bitbake/bin/bitbake-worker", line 268, in 
child
  bb.utils.disable_network(uid, gid)
File "/home/hains/openpli-oe-core/bitbake/lib/bb/utils.py", line 1653, in 
disable_network
  with open("/proc/self/uid_map", "w") as f:
  PermissionError: [Errno 1] Operation not permitted

  Test code

  with open("/proc/self/uid_map", "w") as f:
f.write("%s %s 1" % (1000, 1000))

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: dash 0.5.12-6ubuntu4
  ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4
  Uname: Linux 6.8.0-11-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.28.0-0ubuntu1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Mar  8 14:34:08 2024
  InstallationDate: Installed on 2023-03-24 (350 days ago)
  InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
  SourcePackage: dash
  UpgradeStatus: Upgraded to noble on 2024-01-10 (58 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2074070] Re: unable to get WPA supplicant status via wpa-cli utility from a snap

[John Johansen]

So I have some questions about the snap run under the wpa_client case.

Is this trace repeatable? This one is odd to me in a couple of ways like
we are getting a timeout without every doing a select/poll/... so either
it is somehow missing from the trace or its being done by interrupt.

The trace starts to differ with the 
  fstat(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0

instead of
  pselect6(4, ...   <- Why is this one missing
  recvfrom(3, ...   <- missing can be explained by time out
  newfstatat(1, ...

the missing pselect/poll.. of any kind is weird and needs to be
investigated. The missing recvfrom can be explained by the timeout.

the change from newfstatat to fstat in the snap might give a clue. I
think we might be looking at a seccomp issue where newfstatat or at
least something used to detect if newfstatat is present is being
blocked. My guess is the code to select this is in glibc.

This might also explain pselect6 missing. If glibc is setting some local
vars that it is using to conditionally determine which syscall to use.
It may just be straight up returning an error (eg timeout) without
making a syscall of any kind. Again this is conjecture and needs to be
investigated.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wpa in Ubuntu.
https://bugs.launchpad.net/bugs/2074070

Title:
  unable to get WPA supplicant status via wpa-cli utility from a snap

Status in wpa package in Ubuntu:
  Confirmed

Bug description:
  Hi

  As a developer, while trying to get the wpa_supplicant status by using
  wpa_cli, it always returns a timeout from the snap context on Ubuntu
  Core 20.

  The problem is not reproducible with Ubuntu Classic.

  I did some further analysis to get strace output of `wpa_cli` as well
  as `wpa_supplicant` for the good (running wpa_cli from host terminal)
  and bad (running from snap context) cases.

  
  Here is the strace output of the wpa_cli;
  Good case:

  ```
  bind(3, {sa_family=AF_UNIX, sun_path="/tmp/wpa_ctrl_29279-1"}, 110) = 0
  connect(3, {sa_family=AF_UNIX, sun_path="/var/run/wpa_supplicant/wlp0s20f3"}, 
110) = 0
  fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
  fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
  sendto(3, "STATUS", 6, 0, NULL, 0) = 6
  pselect6(4, [3], NULL, NULL, {tv_sec=10, tv_nsec=0}, NULL) = 1 (in [3], left 
{tv_sec=9, tv_nsec=98877})
  recvfrom(3, "bssid=68:a0:3e:93:47:2f\nfreq=526"..., 4095, 0, NULL, NULL) = 316
  newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x4), ...}, 
AT_EMPTY_PATH) = 0
  write(1, "bssid=68:a0:3e:93:47:2f\n", 24bssid=68:a0:3e:93:47:2f
  ) = 24
  write(1, "freq=5260\n", 10freq=5260
  ) = 10
  write(1, "ssid=SUPERBOX_Wi-Fi_472B\n", 25ssid=SUPERBOX_Wi-Fi_472B
  ) = 25
  write(1, "id=0\n", 5id=0
  ) = 5
  write(1, "mode=station\n", 13mode=station
  ) = 13
  write(1, "wifi_generation=5\n", 18wifi_generation=5
  ) = 18
  write(1, "pairwise_cipher=CCMP\n", 21pairwise_cipher=CCMP
  ) = 21
  write(1, "group_cipher=CCMP\n", 18group_cipher=CCMP
  ) = 18
  write(1, "key_mgmt=WPA2-PSK\n", 18key_mgmt=WPA2-PSK
  ) = 18
  write(1, "wpa_state=COMPLETED\n", 20wpa_state=COMPLETED
  ) = 20
  write(1, "ip_address=192.168.1.101\n", 25ip_address=192.168.1.101
  ) = 25
  write(1, "p2p_device_address=b0:a4:60:e0:0"..., 
37p2p_device_address=b0:a4:60:e0:0c:91
  ) = 37
  write(1, "address=b0:a4:60:e0:0c:90\n", 26address=b0:a4:60:e0:0c:90
  ) = 26
  write(1, "uuid=962ca758-c0a7-54c0-ae01-689"..., 
42uuid=962ca758-c0a7-54c0-ae01-68990801f7a0
  ) = 42
  write(1, "ieee80211ac=1\n", 14ieee80211ac=1
  ) = 14
  unlink("/tmp/wpa_ctrl_29279-1") = 0
  close(3) = 0
  exit_group(0) = ?

  ```

  Bad case (running from the snap context)

  ```
  getpid() = 58024
  bind(3, {sa_family=AF_UNIX, sun_path="/tmp/wpa_ctrl_58024-1"}, 110) = 0
  connect(3, {sa_family=AF_UNIX, sun_path="/var/run/wpa_supplicant/wlp0s20f3"}, 
110) = 0
  fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
  fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
  sendto(3, "STATUS", 6, 0, NULL, 0) = 6
  fstat(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
  unlink("/tmp/wpa_ctrl_58024-1") = 0
  close(3) = 0
  write(1, "'STATUS' command timed out.\n", 28'STATUS' command timed out.
  ) = 28
  exit_group(-2) = ?
  +++ exited with 254 +++
  ```

  Here is the wpa_supplicant strace output;

  For the good case, wpa_supplicant was able to send the message back to
  the wpa_cli;

  ```
  pselect6(19, [4 5 7 9 10 11 13 14 15 16 17 18], [], [4], {tv_sec=9, 
tv_nsec=97000}, NULL) = 1 (in [14], left {tv_sec=9, tv_nsec=281454971})
  recvfrom(14, "STATUS", 8193, 0, {sa_family=AF_UNIX, 
sun_path="/tmp/wpa_ctrl_172293-1"}, [128 => 25]) = 6
  getsockopt(14, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0
  ioctl(14, TIOCOUTQ, [0]) = 0
  socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 19
  ioctl(19, SIOCGIFADDR, {ifr_name="wlp0s20f3", ifr_addr={sa_family=AF_INET, 
sin_port=htons(0), sin_addr=inet_addr("192.168.1.101")}}) = 0
  close(19) = 0
  getsockopt(14, SOL

[Touch-packages] [Bug 2077413] Re: apparmor unconfined profile blocks signal sending

[John Johansen]

peer=unconfined in most cases is not meant to be any. It is just that
the policy could not distinguish between the different unconfined
processes.

Confined processes were still being blocked by the peer=unconfined rule.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2077413

Title:
  apparmor unconfined profile blocks signal sending

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New

Bug description:
  Dear friends,

  if I'm not missing anything it looks like we have one more bug with
  unconfined AppArmor profiles.

  Reproducer description.

  

  1. Create 4 files with the following content:

  # cat apparmor_signal_test_wrap.sh 
  #!/bin/sh

  cat /proc/self/attr/apparmor/current

  ./apparmor_signal_test.sh

  kill -9 $(cat test.pid)

  # cat apparmor_signal_test.sh 
  #!/bin/sh

  cat /proc/self/attr/apparmor/current

  sleep 1000 &
  echo $! > test.pid

  # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap

  #include 

  "/home/ubuntu/apparmor_signal_test_wrap.sh" flags=(unconfined) {
#include 

capability,
dbus,
file,
network,
  }

  # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test

  #include 

  "/home/ubuntu/apparmor_signal_test.sh" {
#include 

capability,
dbus,
file,
network,
  }

  2. Load AppArmor profiles:

  apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test
  apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap

  3. run program

  # ./apparmor_signal_test_wrap.sh 
  /home/ubuntu/apparmor_signal_test_wrap.sh (unconfined)
  /home/ubuntu/apparmor_signal_test.sh (enforce)
  ./apparmor_signal_test_wrap.sh: 7: kill: Permission denied

  4. check dmesg:

  [ 4043.092218] audit: type=1400 audit(1724153768.037:191):
  apparmor="DENIED" operation="signal" class="signal"
  profile="/home/ubuntu/apparmor_signal_test.sh" pid=10561
  comm="apparmor_signal" requested_mask="receive" denied_mask="receive"
  signal=kill peer="/home/ubuntu/apparmor_signal_test_wrap.sh"

  Expected behavior:
  ./apparmor_signal_test_wrap.sh should exit without any errors.

  

  This bug affects LXD when we enable a new unconfined mode (in lxd-support 
snapd interface).
  Originally, this problem was reported as a comment in another LP bug for 
AppArmor:
  https://bugs.launchpad.net/apparmor/+bug/2067900/comments/2
  but it looks like problem is deeper in this case.

  We had to revert:
  https://github.com/canonical/lxd-pkg-snap/pull/489
  because of this and a few other issues.

  System info:

  # cat /etc/os-release 
  PRETTY_NAME="Ubuntu 24.04 LTS"
  NAME="Ubuntu"
  VERSION_ID="24.04"
  VERSION="24.04 LTS (Noble Numbat)"

  # uname -a
  Linux ubuntu 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul  5 
10:34:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

  # apt info apparmor
  Package: apparmor
  Version: 4.0.1really4.0.0-beta3-0ubuntu0.1

  # apparmor_parser -V
  AppArmor parser version 4.0.0~beta3
  Copyright (C) 1999-2008 Novell Inc.
  Copyright 2009-2018 Canonical Ltd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2077413/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056555] Re: Allow bitbake to create user namespace

[John Johansen]

An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.

it can be install via
  sudo apt install apparmor-notify

basic instructions are available via
  man aa-notify

it will install a default configuration in "/etc/apparmor/notify.conf".
The default configuration can be modified on a per user basis by copying
it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally
"$HOME/.config/apparmor/notify.conf" or to
"$HOME/.apparmor/notify.conf". A custom configuration is not needed
unless you want to use filtering to make it less noisy.

Currently regular notifications will happen for all apparmor events, but they 
can be filtered using the config file.
  

the notifier can be started via the shell with
  aa-notify -p -s1 --prompt-filter=userns

or by adding it to startup applications

There is a bug with the user namespace notification where it currently
requires "--prompt-filter=userns" as part of the command arguments
instead of being set in the config file.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056555

Title:
  Allow bitbake to create user namespace

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Occurs since an update around March 2 Ubuntu 24.04.

  Bitbake is broken due to file permission problem.

  Traceback (most recent call last):
File "/home/hains/openpli-oe-core/bitbake/bin/bitbake-worker", line 268, in 
child
  bb.utils.disable_network(uid, gid)
File "/home/hains/openpli-oe-core/bitbake/lib/bb/utils.py", line 1653, in 
disable_network
  with open("/proc/self/uid_map", "w") as f:
  PermissionError: [Errno 1] Operation not permitted

  Test code

  with open("/proc/self/uid_map", "w") as f:
f.write("%s %s 1" % (1000, 1000))

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: dash 0.5.12-6ubuntu4
  ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4
  Uname: Linux 6.8.0-11-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.28.0-0ubuntu1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Mar  8 14:34:08 2024
  InstallationDate: Installed on 2023-03-24 (350 days ago)
  InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
  SourcePackage: dash
  UpgradeStatus: Upgraded to noble on 2024-01-10 (58 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056555] Re: Allow bitbake to create user namespace

[John Johansen]

An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.

it can be install via
  sudo apt install apparmor-notify

basic instructions are available via
  man aa-notify

it will install a default configuration in "/etc/apparmor/notify.conf".
The default configuration can be modified on a per user basis by copying
it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally
"$HOME/.config/apparmor/notify.conf" or to
"$HOME/.apparmor/notify.conf". A custom configuration is not needed
unless you want to use filtering to make it less noisy.

Currently regular notifications will happen for all apparmor events, but they 
can be filtered using the config file.
  

the notifier can be started via the shell with
  aa-notify -p -s1 --prompt-filter=userns

or by adding it to startup applications

There is a bug with the user namespace notification where it currently
requires "--prompt-filter=userns" as part of the command arguments
instead of being set in the config file.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056555

Title:
  Allow bitbake to create user namespace

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Occurs since an update around March 2 Ubuntu 24.04.

  Bitbake is broken due to file permission problem.

  Traceback (most recent call last):
File "/home/hains/openpli-oe-core/bitbake/bin/bitbake-worker", line 268, in 
child
  bb.utils.disable_network(uid, gid)
File "/home/hains/openpli-oe-core/bitbake/lib/bb/utils.py", line 1653, in 
disable_network
  with open("/proc/self/uid_map", "w") as f:
  PermissionError: [Errno 1] Operation not permitted

  Test code

  with open("/proc/self/uid_map", "w") as f:
f.write("%s %s 1" % (1000, 1000))

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: dash 0.5.12-6ubuntu4
  ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4
  Uname: Linux 6.8.0-11-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.28.0-0ubuntu1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Mar  8 14:34:08 2024
  InstallationDate: Installed on 2023-03-24 (350 days ago)
  InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
  SourcePackage: dash
  UpgradeStatus: Upgraded to noble on 2024-01-10 (58 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2063976] Re: Apparmor breaking nsjail in AOSP

[John Johansen]

An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.

it can be install via
  sudo apt install apparmor-notify

basic instructions are available via
  man aa-notify

it will install a default configuration in "/etc/apparmor/notify.conf".
The default configuration can be modified on a per user basis by copying
it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally
"$HOME/.config/apparmor/notify.conf" or to
"$HOME/.apparmor/notify.conf". A custom configuration is not needed
unless you want to use filtering to make it less noisy.

Currently regular notifications will happen for all apparmor events, but they 
can be filtered using the config file.
  

the notifier can be started via the shell with
  aa-notify -p -s1 --prompt-filter=userns

or by adding it to startup applications

There is a bug with the user namespace notification where it currently
requires "--prompt-filter=userns" as part of the command arguments
instead of being set in the config file.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2063976

Title:
  Apparmor breaking nsjail in AOSP

Status in apparmor package in Ubuntu:
  New

Bug description:
  Build sandboxing in AOSP is broken after updating to 24.04 with the
  following denials:

  [  182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create" 
target="unprivileged_userns"
  [  182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED" 
operation="capable" class="cap" profile="unprivileged_userns" pid=8515 
comm="nsjail" capability=6  capname="setgid"
  [  182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED" 
operation="mount" class="mount" info="failed mntpnt match" error=-13 
profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw, 
rprivate"

  This seems to come from the following change earlier this year:
  
https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2060767] Re: Foliate does not run in Ubuntu 24.04 due to apparmor issue

[John Johansen]

An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.

it can be install via
  sudo apt install apparmor-notify

basic instructions are available via
  man aa-notify

it will install a default configuration in "/etc/apparmor/notify.conf".
The default configuration can be modified on a per user basis by copying
it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally
"$HOME/.config/apparmor/notify.conf" or to
"$HOME/.apparmor/notify.conf". A custom configuration is not needed
unless you want to use filtering to make it less noisy.

Currently regular notifications will happen for all apparmor events, but they 
can be filtered using the config file.
  

the notifier can be started via the shell with
  aa-notify -p -s1 --prompt-filter=userns

or by adding it to startup applications

There is a bug with the user namespace notification where it currently
requires "--prompt-filter=userns" as part of the command arguments
instead of being set in the config file.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060767

Title:
  Foliate does not run in Ubuntu 24.04 due to apparmor issue

Status in apparmor package in Ubuntu:
  Fix Committed

Bug description:
  When I try to open any epub via Foliate (installed from official Ubuntu 
repositories), it does not run.
  ```
  $ foliate Alcott, Louisa May - Little Women.epub

  (com.github.johnfactotum.Foliate:2289): Gtk-WARNING **: 01:51:13.769: Unknown 
key gtk-modules in /home/archisman/.config/gtk-4.0/settings.ini
  bwrap: setting up uid map: Permission denied

  ** (com.github.johnfactotum.Foliate:2289): ERROR **: 01:51:14.283: Failed to 
fully launch dbus-proxy: Child process exited with code 1
  Trace/breakpoint trap
  ```

  A workaround
  (https://github.com/johnfactotum/foliate/issues/1271#issuecomment-2016575770)
  is to create the `/etc/apparmor.d/foliate` file with the appropriate
  content described in that link.

  A similar bug was reported for VSCode
  (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056517)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060767/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

[John Johansen]

An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.

it can be install via
  sudo apt install apparmor-notify

basic instructions are available via
  man aa-notify

it will install a default configuration in "/etc/apparmor/notify.conf".
The default configuration can be modified on a per user basis by copying
it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally
"$HOME/.config/apparmor/notify.conf" or to
"$HOME/.apparmor/notify.conf". A custom configuration is not needed
unless you want to use filtering to make it less noisy.

Currently regular notifications will happen for all apparmor events, but they 
can be filtered using the config file.
  

the notifier can be started via the shell with
  aa-notify -p -s1 --prompt-filter=userns

or by adding it to startup applications

There is a bug with the user namespace notification where it currently
requires "--prompt-filter=userns" as part of the command arguments
instead of being set in the config file.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Fix Committed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in tor package in Ubuntu:
  Confirmed
Status in wike package in Ubuntu:
  Fix Committed
Status in apparmor source package in Noble:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2065088] Re: AppArmor profiles allowing userns not immediately active in 24.04 live image

[John Johansen]

Disabling the user namespace restriction is certainly one possible
direction, and would be the easiest for Noble.

The other possible route is using aa-notify, which now has the ability
to produce a prompt for the user. An example gif can be seen at
https://gitlab.com/-/project/4484878/uploads/ea5f41c3e1799fcf4d6c0c41af86553a/demo_aa_notify.webm

it is currently only in Oracular, and there are some bug fixes coming to
the current version, but the plan is to SRU the ability to Noble.

For those who want to play with it, instructions are below. It is
available for noble via the ppa at https://launchpad.net/~apparmor-
dev/+archive/ubuntu/apparmor-backports.


it can be install via
  sudo apt install apparmor-notify

basic instructions are available via
  man aa-notify

it will install a default configuration in "/etc/apparmor/notify.conf".
The default configuration can be modified on a per user basis by copying
it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally
"$HOME/.config/apparmor/notify.conf" or to
"$HOME/.apparmor/notify.conf". A custom configuration is not needed
unless you want to use filtering to make it less noisy.

Currently regular notifications will happen for all apparmor events, but they 
can be filtered using the config file.
  

the notifier can be started via the shell with
  aa-notify -p -s1 --prompt-filter=userns

or by adding it to startup applications

There is a bug with the user namespace notification where it currently
requires "--prompt-filter=userns" as part of the command arguments
instead of being set in the config file.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2065088

Title:
  AppArmor profiles allowing userns not immediately active in 24.04 live
  image

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Side issue from . I saw this with Steam, but Ubuntu 24.04's
  AppArmor setup for Steam is quite simple, so I suspect that the same
  thing might happen for any of the other third-party software that
  needs an AppArmor profile for
  .

  Steps to reproduce:

  1. Boot an Ubuntu 24.04 live image, in a virtual machine with lots of RAM (I 
gave it 8G) so that it will have enough space on the root tmpfs to install 
Steam. Using Debian 12's libvirt and qemu, I found that virtio graphics didn't 
work, and used qxl as a workaround.
  2. When prompted, choose a keyboard layout etc., and choose to "Try Ubuntu" 
rather than "Install Ubuntu".
  3. Open a terminal
  4. sudo dpkg --add-architecture i386
  5. sudo apt update
  6. sudo apt install steam (in this case steam is a transitional package with 
a dependency on steam-installer, both at version 1:1.0.0.79~ds-2)
  7. steam
  8. See a prompt warning me that Steam is proprietary binary-only software. 
Choose Install.
  9. See a light grey progress bar "Steam setup / Updating Steam runtime 
environment...". Wait.
  10. See a dark grey progress bar "Steam / Updating Steam... Downloading 
update (xxx of 465,450 KB)...". Wait.
  11. Dark grey progress bar becomes "Steam / Updating Steam... Extracting 
package...". Wait.
  12. Output in terminal shows "Restarting Steam by request...". Wait.

  Expected result:

  - /etc/apparmor.d/steam allows Steam to create new user namespaces, etc.
  - Steam starts successfully

  Actual result:

  - A dialog box with "Error / Steam now requires user namespaces to be enabled"
  - Audit log: apparmor="DENIED" operation="userns_create" class="namespace" 
info="Userns create restricted - failed to find unprivileged_userns profile" 
error=-13 profile="unconfined" pid=... comm="srt-bwrap" 
requested="userns_create" denied="userns_create" target="unprivileged_userns"

  Workaround:

  - Force Ubuntu's AppArmor profile for Steam to be reloaded: sudo 
apparmor_parser -Tr /etc/apparmor.d/steam
  - Run steam again

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2079019] Re: Unable to enforce/disable profiles using aa-enforce/aa-disable

[John Johansen]

This is fixed in 4.0.2 and should be part of the next SRU


** Changed in: apparmor (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2079019

Title:
  Unable to enforce/disable profiles using aa-enforce/aa-disable

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Trying to enforce an apparmor profile on a newly installed Ubuntu
  24.04 server (ubuntu-24.04-live-server-amd64.iso, updated and
  rebooted) results in the following

  # aa-enforce podman

  ERROR: Operation {'runbindable'} cannot have a source. Source =
  AARE('/')

  
  Searching for runbindable in /etc/apparmor.d shows this

  # grep -r "runbindable*/*" /etc/apparmor.d
  /etc/apparmor.d/abstractions/passt:  mount options=(rw, runbindable) /,

  
  # aa-logprof 

  ERROR: Operation {'runbindable'} cannot have a source. Source =
  AARE('/')

  # aa-disable passt

  ERROR: Operation {'runbindable'} cannot have a source. Source =
  AARE('/')

  # aa-status --filter.profiles=podman
  apparmor module is loaded.
  98 profiles are loaded.
  0 profiles are in enforce mode.
  0 profiles are in complain mode.
  0 profiles are in prompt mode.
  0 profiles are in kill mode.
  1 profiles are in unconfined mode.
 podman
  0 processes have profiles defined.
  0 processes are in enforce mode.
  0 processes are in complain mode.
  0 processes are in prompt mode.
  0 processes are in kill mode.
  0 processes are unconfined but have a profile defined.
  0 processes are in mixed mode.

  # lsb_release -a
  No LSB modules are available.
  Distributor ID:   Ubuntu
  Description:  Ubuntu 24.04.1 LTS
  Release:  24.04
  Codename: noble

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2079019/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched

[John Johansen]

*** This bug is a duplicate of bug 1795649 ***
https://bugs.launchpad.net/bugs/1795649

@Mingun: I have replied in
https://bugs.launchpad.net/evince/+bug/1795649

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1969896

Title:
  Evince Document Viewer(42.0) does not remember last page in 22.04 and
  opens in a tiny window when launched

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Invalid
Status in apparmor source package in Jammy:
  Fix Released
Status in evince source package in Jammy:
  Invalid
Status in apparmor source package in Kinetic:
  Fix Released
Status in evince source package in Kinetic:
  Invalid

Bug description:
  [Impact]

   * Evince does not behave as expected and launches with a very small
  window resulting in a poor user experience

   * Fixing this requires only a minor change to the exo-open
  abstraction and results in correctly functioning evince

   * By removing the dbus deny rule in the exo-open abstraction, evince
  is able to correctly communicate with gvfs and start up as normal

  [Test Plan]

   * Start dbus-monitor to watch for AppArmor denials
   
   $ dbus-monitor --session | grep AppArmor

   * Launch evince and there should be no AppArmor message shown above
  from dbus-monitor

  [Where problems could occur]

   * By removing this deny rule from the exo-open abstraction, AppArmor
  will be more permissive for anything which uses the exo-open
  abstraction and potentially allow it access to gvfs where it did not
  before.

   * This should not result in any regressions as we are granting extra
  functionality which wasn't allowed before, however perhaps in the case
  of an application which expects *not* to be able to use gvfs as this
  was previously explicitly denied, it may now be able to (if it has a
  less specific allow rule) and hence it may function differently than
  before.

  [Other Info]
   
   * Whilst on the surface by removing this deny rule it may appear that this 
grants additional permissions to anything which uses the exo-open abstraction, 
this is not necessarily true as AppArmor denies all accesses by default unless 
explicitly allowed by a profile. And so in general this will not grant 
permission to use a DBus interface that an application did not have before. 
However, due to the way that deny rules take precedence over allow rules in 
AppArmor, if an application had been allowed generic dbus access to the user's 
session bus, the previous deny rule in the exo-open abstraction would then have 
denied them access to just gvfs via dbus. With this new proposed change, this 
is not explicitly denied and so is now allowed as expected. But for applcations 
which may have used the exo-open abstraction and which did *not* have DBus 
access before, this change will not result in them obtaining DBus access either.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1969896/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp