The solution I found is to add the following rule in
/etc/apparmor.d/local/fusermount3:
unix (receive, send) type=stream,
Then run:
% sudo apparmor_parser -r /etc/apparmor.d/fusermount3
This assumes that /etc/apparmor.d/fusermount3 has the following line:
include if exists <local/fusermount3>
---
Side note, aa-logprof does not seem to like the rule format for mount.
When I ran `sudo aa-logprof` I got:
skipping unparseable profile /etc/apparmor.d/fusermount3 (Can't parse
mount rule mount fstype=@{fuse_types} options=(nosuid,nodev) options in
(ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{HOME}/**/,)
Similarly, other commands like aa-complain.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2120439
Title:
Pika Backup fails to mount backup because of apparmor fusermount3
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
This bug has been reported by several users to Pika Backup's GitLab,
and the maintainers have determined that the underlying issue is in
Ubuntu's apparmor package. Here is the upstream bug report:
https://gitlab.gnome.org/World/pika-backup/-/issues/613
This issue is found on Ubuntu 25.04, with apparmor
4.1.0~beta5-0ubuntu14, while running Pika Backup 0.7.4 installed using
Flatpak using this command:
flatpak install flathub org.gnome.World.PikaBackup
When browsing an archive in Pika Backup, the operation fails with this
error shown to the user: "sending file descriptor: bad file
descriptor".
Here are the log operations, showing that AppArmor's fusermount3
profile is causing this issue:
Aug 12 12:58:39 kernel: audit: type=1400 audit(1754996319.586:232):
apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3"
pid=3920 comm="fusermount3" family="unix" sock_type="stream" protocol=0
requested="send receive" denied="send receive" addr=none peer_addr=none
peer="bwrap"
Aug 12 12:58:39 kernel: audit: type=1400 audit(1754996319.586:233):
apparmor="DENIED" operation="file_inherit" class="net" profile="fusermount3"
pid=3920 comm="fusermount3" family="unix" sock_type="stream" protocol=0
requested="send receive" denied="send receive" addr=none peer_addr=none
peer="unpriv_bwrap"
Aug 12 12:58:39 kernel: audit: type=1400 audit(1754996319.586:234):
apparmor="DENIED" operation="open" class="file" info="Failed name lookup -
disconnected path" error=-13 profile="fusermount3" name="apparmor/.null"
pid=3920 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This is the workaround:
sudo aa-disable /etc/apparmor.d/fusermount3
I've attached /etc/apparmor.d/fusermount3 to this bug report.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2120439/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
