@paride: RE: aa-notify aa-notify does not require the desktop-security-center snap. The desktop-security-center snap is required for permissions prompting which is a different feature, that is only available to snaps atm*.
aa-notify is after the fact updating of the profile similar to using aa- logprof. It is tailing the log file looking for denials. Which it then sends a desktop notification for. Clicking allow on the notification should pop-up a password request, and if that is granted it will use the same backend as aa-genprof/logprof to add the entry to the profile, which is saved to disk and then the apparmor_parser is kicked off to replace the profile by giving it the updated profile files. This after the fact update, will live update a running application/service however, unless the application/service may not try to access the file in question again until it is restarted, eg. say it tries to access a config file, and is denied so the service uses some internal defaults and starts running. It won't try to access the config file again until it is restarted, or at least told to reread its config. Can I get some clarification on what you mean by temporary. It sounds to me like the profile is never updated, and that openvpn never gets permission to access the file. Am I correct or is there a window where openvpn gets access. When you click allow do you get a window pop-up that asks for your password, to update the apparmor profile permissions? * permissions prompting is similar to aa-notify on the surface, but it uses an entirely different mechanism. First instead of after the fact it happen before the request gets denied. The kernel suspends the application, and sends an upcall to the system snapd daemon. That daemon routes the message to the users session, where a desktop agent prompts the user, and sends the response back to the system snapd daemon which handles updating the snaps apparmor policy. The desktop-security-center snap, provides the gui configuration interface for the feature. It has the toggle that tells snapd to enable permission prompting, and allows the user to delete the rules that they have added (but not the base apparmor profile). In fact beyond the desktop-security-center being required to enable the feature, it isn't actually needed for the feature to function. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2098930 Title: openvpn profile doesn't allow access to files on home dir Status in apparmor package in Ubuntu: Confirmed Status in gnome-control-center package in Ubuntu: Confirmed Status in network-manager package in Ubuntu: Confirmed Bug description: my VPN keys & certs are stored in my HOME directory. The current apparmor update broke that. When I try to activate my VPN through NetworkManager, the journal says: Feb 20 07:48:57 paprika NetworkManager[3405]: <info> [1740034137.4372] vpn[0x58db282782d0,132c9eee-2134-4f7a-8326-58bde38036de,"canonical-uk"]: starting openvpn [snipped] Feb 20 07:48:57 paprika nm-openvpn[10793]: Cannot pre-load keyfile (/home/tom/Documents/vpn/ta.key) Feb 20 07:48:57 paprika nm-openvpn[10793]: Exiting due to fatal error [snipped] Feb 20 07:48:57 paprika kernel: audit: type=1400 audit(1740034137.454:789): apparmor="DENIED" operation="open" class="file" profile="openvpn" name="/home/tom/Documents/vpn/ta.key" pid=10793 comm="openvpn" requested_mask="r" denied_ma> So openvpn can no longer access /home/tom/Documents/canonical/vpn/canonical_ta.key . ProblemType: Bug DistroRelease: Ubuntu 25.04 Package: apparmor 4.1.0~beta5-0ubuntu2 ProcVersionSignature: Ubuntu 6.12.0-15.15-generic 6.12.11 Uname: Linux 6.12.0-15-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.31.0-0ubuntu5 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Feb 20 08:57:57 2025 InstallationDate: Installed on 2024-07-18 (217 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/usr/bin/zsh TERM=xterm-256color XDG_RUNTIME_DIR=<set> ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.12.0-15-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet splash vt.handoff=7 SourcePackage: apparmor UpgradeStatus: Upgraded to plucky on 2024-12-20 (62 days ago) modified.conffile..etc.apparmor.d.element-desktop: [modified] mtime.conffile..etc.apparmor.d.element-desktop: 2025-02-11T18:32:02.077059 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
