[Touch-packages] [Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`

[Launchpad Bug Tracker]

This bug was fixed in the package apparmor -
4.0.1really4.0.1-0ubuntu0.24.04.3

---------------
apparmor (4.0.1really4.0.1-0ubuntu0.24.04.3) noble; urgency=medium

  * Revert to version 4.0.1-0ubuntu0.24.04.2 except for the patch
    that enables the bwrap-userns-restrict profile (LP: #2072811).
  * New upstream release.
    (LP: #2064672, LP: #2046844, LP: #2060100, LP: #2056297)
  * Drop patches which have now been applied upstream
    - d/p/u/parser-fix-issues-appointed-by-coverity.patch
    - d/p/u/profiles-add-unconfined-profile-for-tuxedo-control-c.patch
    - d/p/u/parser-support-uin128_t-key-as-a-pair-of-uint64_t-nu.patch
    - d/p/u/Minor-improvements-for-MountRule.patch
  * Add patch to add balena-etcher profile (LP: #2046844)
    - d/p/u/profiles-add-unconfined-balena-etcher-profile.patch
  * Add upstream patch to relax mount rules to fix use of virtiofs and
    other file-system types
    - d/p/u/mountrule-relaxing-constraints-on-fstype.patch
  * Refresh
    - d/p/u/samba-systemd-interaction.patch
    - d/p/u/parser-add-support-for-prompting.patch
      - Add condition in policydb serialization to only encode xtable if
      kernel_supports_permstable32
  * Fix d/p/u/userns-runtime-disable.patch to work when
    kernel.apparmor_restrict_unprivileged_userns does not exist by adding
    -e to sysctl.
  * d/apparmor-profiles.install
    - install new profile
      - unshare-userns-restrict
      - bwrap-userns-restrict
  * d/apparmor.install
    - install new profiles
      - wike - changed installation from apparmor to apparmor.d
      - foliate
      - balena-etcher
      - transmission
  * d/control: Remove obsolete lsb-base Depends and swap pkg-config to
    pkgconf for Build-Depends

 -- Georgia Garcia <georgia.gar...@canonical.com>  Thu, 18 Jul 2024
15:28:46 -0300

** Changed in: apparmor (Ubuntu Noble)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2072811

Title:
  Apparmor: New update broke flatpak with `apparmor="DENIED"`

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Noble:
  Fix Released
Status in apparmor source package in Oracular:
  Fix Released

Bug description:
  The recent apparmor update appear to have broken some flatpak's ability to 
save file, e.g.:
  - org.keepassxc.KeePassXC
  - org.ksnip.ksnip

  It seems update introduced a new profile ("/etc/apparmor.d/bwrap-
  userns-restrict"), which is causing the issue below.

  **** To reproduce ****

  (I'm using KeepassXC as example, but same issue for ksnip):

  1. Install and run KeepassXC

  ```bash
  flatpak install org.keepassxc.KeePassXC
  flatpak run org.keepassxc.KeePassXC
  ```

  2. Got error: "Access error for config file
  /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"

  Looking at `journalctl -f`, I see these apparmor DENIED entries:

  ```txt
  Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started 
app-flatpak-org.keepassxc.KeePassXC-4010.scope.
  Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" 
profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" 
profile="unpriv_bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" 
profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" 
profile="unpriv_bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
  Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 
audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 
audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" 
profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217"
  ```

  **** Workaround ****

  For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-
  restrict" profile.

  ```bash
  sudo aa-disable /usr/bin/bwrap
  ```

  **** Version info ****
  $ lsb_release -rd
  No LSB modules are available.
  Description:  Ubuntu 24.04 LTS
  Release:      24.04

  $ apt-cache policy apparmor
  apparmor:
    Installed: 4.0.1-0ubuntu0.24.04.2
    Candidate: 4.0.1-0ubuntu0.24.04.2
    Version table:
   *** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%)
          500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       4.0.0-beta3-0ubuntu3 500
          500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp