This is a mix of issues 1. disconnected path The failures with info="Failed name lookup - disconnected path" are due to fusermount3 being run in a mount namespace, and trying to access fds that it does not have access to. This is likely due to flatpak's sandbox design, and its broken assumption that it can get away with doing fd passing without mediation.
We can subdivide the disconnected path issue further by, those specifying name="apparmor/.null" and the rest. The name="apparmor/.null" are not the actual file access, but fds that were inherited, and passed down from a parent. To find what the actual access for these is you will need to find the DENIED messages with operation="file_inherit". There are a couple of disconnect path denials that are also file inherit name="dev/null" name="app/Cryptomator/lib/runtime/lib/modules" I am not sure why either of these is being passed by openfd. I would expect those to be opened if needed within the container. This is not just a case of accessing these via a portal, and it passing the open fd into the container. Its a case of the parent not closing fd for these. As such these are actually probably not a problem. Especially the dev/null one that might be on the stderr/stdout descriptors as apparmor will replace these with access to a special null dev it controls apparmor/.null 2. file_inherit of network AppArmor controls access to open fds being passed into the application by a parent process under a different confinement. In this case we are looking at networking separate from the file access above. These are all open unix domain sockets to bwrap, possibly setup for portal access. We need to investigate why bwrap would be setting these up, and what the implication is. Generally stuff like this is setup as a way to punch holes in security. Before adding those to the fusermnt3 profile. Overall it looks like we are going to have to setup some conditionals and treat fusermnt3 differently when run under flatpak. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2111205 Title: fusermount3 profile blocks libfuse module in flatpak Status in apparmor package in Ubuntu: New Bug description: Upgrading to Kubuntu 24.10 with apparmor (4.1.0~beta5-0ubuntu14) breaks the flatpak app org.cryptomator.Cryptomator due to `/etc/apparmor.d/fusermount3`. ``` Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.499:213): apparmor="DENIED" operation="file_inherit" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="dev/null" pid=2359 comm="fusermount3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.499:214): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="apparmor/.null" pid=2359 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.499:215): apparmor="DENIED" operation="file_inherit" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="dev/null" pid=2359 comm="fusermount3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.499:216): apparmor="DENIED" operation="file_inherit" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="app/Cryptomator/lib/runtime/lib/modules" pid=2359 comm="fusermount3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.499:217): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=2359 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="bwrap" Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.499:218): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=2359 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="unpriv_bwrap" Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.539:219): apparmor="DENIED" operation="file_inherit" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="app/Cryptomator/lib/runtime/lib/modules" pid=2365 comm="fusermount3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.539:220): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="fusermount3" name="apparmor/.null" pid=2365 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.539:221): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=2365 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="bwrap" Mai 18 07:04:12 kubuntu kernel: audit: type=1400 audit(1747544652.539:222): apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3" pid=2365 comm="fusermount3" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="unpriv_bwrap" ``` Original bug report: https://github.com/cryptomator/cryptomator/issues/3856 When I change the profile to complain mode, Crptomator does work flawlessly: ralph@kubuntu:~$ sudo aa-complain /etc/apparmor.d/fusermount3 Setting /etc/apparmor.d/fusermount3 to complain mode. Upgrading apparmor to apparmor (4.1.0~beta5-0ubuntu15) does not change anything. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111205/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
