** Description changed: SRU Justification: [ Impact ] The remmina profile is missing a bunch of rules that would be needed in order to allow usage of all its functionality. For example, remmina lacked permissions to read ssh keys for the SSH and SFTP operation modes, lacked permissions to access KDE Wallet secret storage, and could not create files needed for TLS-secured RDP. As such, we will need to pull the remmina profile from Plucky to avoid breaking its usages. [ Test Plan ] - After installation of the new AppArmor version, the machine might need - to be rebooted. If a reboot between installation and test plan execution - is needed for a test to pass, please mention it in the test plan - execution notes so that we can determine if this is cause for - verification test failure, expected behavior, or the result of an - unrelated bug that we are not attempting to fix with this SRU. - - * Run `sudo aa-status` and look for a loaded remmina profile: it should not be there - * If it is still there after installing the updated AppArmor and rebooting, report verification test failure - * Launch remmina - * Use ps -Zelf | grep -F remmina to locate the running remmina process - * Read the output to verify that remmina is now unconfined - * Fully quit remmina through its menu, its task bar entry, or by Ctrl-C'ing its terminal (closing the GUI window is insufficient) - * Install apparmor-profiles if it wasn't installed already - * Repeat the above steps to verify that remmina is unconfined even when apparmor-profiles is also installed (including reboot if installing apparmor-profiles fresh) - * Warning: remmina writes a .desktop file to automatically start itself upon login, which will complicate profile replacement if investigating remmina test failure + * Run `sudo aa-status` and look for a loaded remmina profile: it should not be there + * If it is still there after installing the updated AppArmor and rebooting, report verification test failure + * Launch remmina + * Use ps -Zelf | grep -F remmina to locate the running remmina process + * Read the output to verify that remmina is now unconfined + * The following steps exercise the SSH operation mode of remmina to verify that it is not broken: + - Set up a different server that uses SSH pubkey authentication, place the keypair inside the Plucky client's `~/.ssh`, and verify from a terminal window that the keypair works as authentication for SSHing into the server + - Click the '+' button to add a new connection + - Set the protocol to SSH + - Enter the server URL and set the authentication type to 'SSH identity file' + - Check the 'SSH identity file' checkbox and select the private key inside `~/.ssh`. If a permission denial occurs when trying to select the file, report verification test failure + - Click the 'Connect' button and follow any prompt it might show, which should end with successfully opening a remote shell + * Fully quit remmina through its menu, its task bar entry, or by Ctrl-C'ing its terminal (closing the GUI window is insufficient) + * Install apparmor-profiles if it wasn't installed already + * Repeat the above steps to verify that remmina is unconfined even when apparmor-profiles is also installed (including reboot if installing apparmor-profiles fresh) + * Warning: remmina writes a .desktop file to automatically start itself upon login, which will complicate profile replacement or removal if investigating remmina test failure [ Where problems could occur ] The removal of the profile should restore remmina's functionality to its original state before a profile was added, as an application would not rely on external AppArmor denials to function correctly. However, if a user set up custom profiles that use "peer=remmina" IPC rules, then these rules would break upon the upgrade removing the remmina profile. None of the officially shipped profiles include such rules. [ Other Info ] --------Original bug report: Remmina is now failing on plucky, blocked by apparmor: Failed to register: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.126" (uid=1000 pid=9636 comm="remmina" label="remmina (enforce)") interface="org.gtk.Actions" member="DescribeAll" error name="(unset)" requested_reply="0" destination="org.remmina.Remmina" (uid=1000 pid=4366 comm="/usr/bin/remmina -i" label="remmina (enforce)") ProblemType: Bug DistroRelease: Ubuntu 25.04 Package: remmina 1.4.39+dfsg-1 ProcVersionSignature: Ubuntu 6.12.0-16.16-generic 6.12.11 Uname: Linux 6.12.0-16-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.32.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Tue Mar 11 09:09:15 2025 InstallationDate: Installed on 2024-10-30 (132 days ago) InstallationMedia: Ubuntu-Studio 24.10 "Oracular Oriole" - Release amd64 (20241007.1) SourcePackage: remmina UpgradeStatus: Upgraded to plucky on 2025-01-25 (45 days ago)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2102033 Title: remmina blocked by apparmor in Plucky To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102033/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
