@paride: RE: aa-notify
aa-notify does not require the desktop-security-center snap. The
desktop-security-center snap is required for permissions prompting which
is a different feature, that is only available to snaps atm*.
aa-notify is after the fact updating of the profile similar to using aa-
l
Thanks Ryan, Alex and John. That seems like a good compromise to me.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098930
Title:
openvpn profile doesn't allow access to files on home dir
To manage
After a discussion with Alex Murray and John Johansen, we decided on the
following OpenVPN policy adjustments:
- allowing writes to files in the /etc/openvpn, and not just reads
- allowing reads to most of the home directories
- allowing writes to most of the home directories, with an owner restri
FYI, LP:2101909 about apparmor and access to ~/.cert/. Thought I'd
mention that for future travellers. The original bug report is about
~/Documents so differs.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/
It won't help much to white-list one particular location if users will
be none the wiser of it. As Thomas says at #5, this will probably end up
in ~/Downloads for many.
If Apparmor prompting is not due for 25.04, this must be a critical bug,
right? Probably
> 2. Just give the profile full access
In my opinion this needs to be granted access to the entire HOME unless
we can very clearly and visually communicate the issue to the user.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098930
Title:
> atm It looks that way, there certainly should be some though
>
> comment #4's
> @{HOME}/.cert/nm-openvpn/* r,
>
> seems reasonable. We will have to look into others
I'd rather use .config/ instead of .cert/ to be more aligned with the
XDG Base directories specification.
--
You received this b
Here is another problem:
291s + openvpn --genkey secret static.key
291s 2025-03-09 08:21:34 Cannot open file 'static.key' for write: Permission
denied (errno=13)
Seen in
https://autopkgtest.ubuntu.com/results/autopkgtest-plucky/plucky/amd64/o/openvpn/20250309_082154_6a263@/log.gz
--
You receiv
atm It looks that way, there certainly should be some though
comment #4's
@{HOME}/.cert/nm-openvpn/* r,
seems reasonable. We will have to look into others
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
@aleasto, no they aren't desktop applications. That doesn't mean access
to keys in a users directory can't be routed to the affected user as a
permission request (at least in a desktop environment).
Nor does it mean that the gui interface for network manager, can't act
as at a privilege layer for
>> 1. The user moves keys to the allowed default locations
> Which is?
Checking the apparmor profile,
# OpenVPN configuration and key files
file r /etc/openvpn/{,**},
file mr /usr/sbin/openvpn,
so I guess /etc/openvpn and there is no default userdir allowed?
--
You received this bug notifica
> 1. For applications that support it, having them use a portal to gain
access. With the portal being allowed to delegate the selected file to
the application. This is the transparent solution, where the user gets
the file dialogue as usual but it is not under the applications control.
openvpn/net
Short term there are four solutions.
> 1. The user moves keys to the allowed default locations
Which is?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098930
Title:
openvpn profile doesn't allow
Comment 4 worked for me
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098930
Title:
openvpn profile doesn't allow access to files on home dir
To manage notifications about this bug go to:
https://
I hit this too, and had to adapt the work-around to be slightly more
permissive, since `openvpn` actually needs to load multiple files, making it
look more like this:
sudo bash -c "echo '@{HOME}/Documents/canonical/vpn/* r,' >>
/etc/apparmor.d/local/openvpn"
--
You received this bug notificati
I also stumbled on this and tried the aa-notify way mentioned in comment
6, but that didn't work for me. I get the notification prompt on
allowing access to the key stored under my home directory, but by the
time I click on "Allow" openvpn already failed and gave up trying. The
"allow" setting (i.e
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: gnome-control-center (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098930
Adding gnome-control-center here to so the desktop ppl have visibility
that VPN configuration through gnome-control-center won't work anymore
with this new apparmor profile.
** Also affects: gnome-control-center (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notifi
So there is a tension here between users and security. There is no
perfect solution. Allowing openvpn full access to all the users files
has security implications, denying access has usability implications.
As unsatisfying as it is we are working towards a long term solution,
but are not there yet
thanks for the workaround. that works.
But how is that expected to work for a normal Desktop user who needs to
add a VPN through the GNOME Control Center network panel? You have to
select there the files through the file manager so very likely the user
downloaded the VPN configuration from somewhe
I had a similar problem after I upgraded from kubuntu 24.10 to 25.04:
all OpenVPN connections failed due to Apparmor denying access to
$HOME/.cert/nm-openvpn
I solved with
sudo bash -c "echo '@{HOME}/.cert/nm-openvpn/* r,' >>
/etc/apparmor.d/local/openvpn"
sudo apparmor_parser -r /etc/apparmor.d
hi Thomas
To allow access to these files, you can add the following rule to
/etc/apparmor.d/local/openvpn:
@{HOME}/Documents/canonical/vpn/canonical_ta.key r,
It can be done by the following command:
sudo bash -c "echo '@{HOME}/Documents/canonical/vpn/canonical_ta.key r,'
>> /etc/apparmor.d/loc
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098930
Title:
o
23 matches
Mail list logo
