So there is a tension here between users and security. There is no perfect solution. Allowing openvpn full access to all the users files has security implications, denying access has usability implications.
As unsatisfying as it is we are working towards a long term solution, but are not there yet. So what can be done now. Short term there are four solutions. 1. The user moves keys to the allowed default locations (what has led to this bug report) 2. Just give the profile full access to the users files (less secure) 3. disable the profile (even worse than 2) 4. enable aa-notify (sudo apt install apparmor-notify) Solution 4, is not currently enabled by default, but it could be in a future release (it would need to be added to the desktop seed). It provides the user a gui that will allow them to extend the profile, but is done after the denial. It is not ideal but better than the above shell command for most users. Long term the solution (which is a wip) is two fold: 1. For applications that support it, having them use a portal to gain access. With the portal being allowed to delegate the selected file to the application. This is the transparent solution, where the user gets the file dialogue as usual but it is not under the applications control. 2. For applications that can't support portals there is the permission prompting work, that is currently experimental (https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle- part-5-introducing-permissions-prompting/47963). Instead of being an after the fact solution like aa-notify, the prompt pauses the application to get the users input. At the moment it is experimental and snap application only, but it can be opened up to non-snap applications in the future. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2098930 Title: openvpn profile doesn't allow access to files on home dir Status in apparmor package in Ubuntu: Confirmed Bug description: my VPN keys & certs are stored in my HOME directory. The current apparmor update broke that. When I try to activate my VPN through NetworkManager, the journal says: Feb 20 07:48:57 paprika NetworkManager[3405]: <info> [1740034137.4372] vpn[0x58db282782d0,132c9eee-2134-4f7a-8326-58bde38036de,"canonical-uk"]: starting openvpn [snipped] Feb 20 07:48:57 paprika nm-openvpn[10793]: Cannot pre-load keyfile (/home/tom/Documents/vpn/ta.key) Feb 20 07:48:57 paprika nm-openvpn[10793]: Exiting due to fatal error [snipped] Feb 20 07:48:57 paprika kernel: audit: type=1400 audit(1740034137.454:789): apparmor="DENIED" operation="open" class="file" profile="openvpn" name="/home/tom/Documents/vpn/ta.key" pid=10793 comm="openvpn" requested_mask="r" denied_ma> So openvpn can no longer access /home/tom/Documents/canonical/vpn/canonical_ta.key . ProblemType: Bug DistroRelease: Ubuntu 25.04 Package: apparmor 4.1.0~beta5-0ubuntu2 ProcVersionSignature: Ubuntu 6.12.0-15.15-generic 6.12.11 Uname: Linux 6.12.0-15-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.31.0-0ubuntu5 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Feb 20 08:57:57 2025 InstallationDate: Installed on 2024-07-18 (217 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/usr/bin/zsh TERM=xterm-256color XDG_RUNTIME_DIR=<set> ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.12.0-15-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet splash vt.handoff=7 SourcePackage: apparmor UpgradeStatus: Upgraded to plucky on 2024-12-20 (62 days ago) modified.conffile..etc.apparmor.d.element-desktop: [modified] mtime.conffile..etc.apparmor.d.element-desktop: 2025-02-11T18:32:02.077059 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
