electron apps could be started with --no-sandbox with executableArgs = ["no-sandbox"] in build mode for AppImage or Snap https://www.electron.build/configuration/snap.html .
It is also bug opened on electron https://github.com/electron/electron/issues/41066 with merged patch for detecting such issue on runtime with testing write for such namespaces as PullRequst on Electron. This change in Ubuntu for Electron is not new and there were some attempts for AppImages for Electron to fix it because Debian and other linuxes has various policies, so was also questions about it and some js npms packages attempts https://github.com/electron-userland/electron- builder/issues/5371. So issue on Electron is opened and packagers could wait on new Electron release or decide what to do... But require for each app to have own profile is weird way to bureaucratic hell overhead of something not deeply understood. ** Bug watch added: github.com/electron/electron/issues #41066 https://github.com/electron/electron/issues/41066 ** Bug watch added: github.com/electron-userland/electron-builder/issues #5371 https://github.com/electron-userland/electron-builder/issues/5371 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2072811 Title: Apparmor: New update broke flatpak with `apparmor="DENIED"` Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Noble: Fix Released Status in apparmor source package in Oracular: Fix Released Bug description: The recent apparmor update appear to have broken some flatpak's ability to save file, e.g.: - org.keepassxc.KeePassXC - org.ksnip.ksnip It seems update introduced a new profile ("/etc/apparmor.d/bwrap- userns-restrict"), which is causing the issue below. **** To reproduce **** (I'm using KeepassXC as example, but same issue for ksnip): 1. Install and run KeepassXC ```bash flatpak install org.keepassxc.KeePassXC flatpak run org.keepassxc.KeePassXC ``` 2. Got error: "Access error for config file /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" Looking at `journalctl -f`, I see these apparmor DENIED entries: ```txt Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started app-flatpak-org.keepassxc.KeePassXC-4010.scope. Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" ``` **** Workaround **** For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns- restrict" profile. ```bash sudo aa-disable /usr/bin/bwrap ``` **** Version info **** $ lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04 LTS Release: 24.04 $ apt-cache policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 Version table: *** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%) 500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages 100 /var/lib/dpkg/status 4.0.0-beta3-0ubuntu3 500 500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
