After upgrade to Kubuntu 24.04 The Trezor Suite stopped working

It is probably related to this bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

The sysslog showed following:
`
2024-05-11T20:15:13.136932+02:00 XXX kernel: audit: type=1400 audit(1715451313.135:228): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=49113 comm="trezor-suite" requested="userns_create" target="unprivileged_userns"
2024-05-11T20:15:13.137900+02:00 XXX kernel: audit: type=1400 audit(1715451313.136:229): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=49120 comm="trezor-suite" capability=21 capname="sys_admin"

`

So I tried to fix it by creating following apparmor profile:
`
abi <abi/4.0>,
include <tunables/global>

profile trezor-suite /home/user/opt/Trezor-Suite-24.4.3-linux-x86_64.AppImage flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/terezor-suite>
}

`

But it did not fix it.

This is what I found in syslog after reloading the apparmor:
`
2024-05-11T20:26:53.662869+02:00 XXX kernel: audit: type=1400 audit(1715452013.661:463): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=52568 comm="trezor-suite" requested="userns_create" target="unprivileged_userns"
2024-05-11T20:26:53.676885+02:00 XXX kernel: traps: trezor-suite[52568] trap int3 ip:56e0121d634a sp:7ffe7f362260 error:0 in trezor-suite[56e00e6d5000+7e39000]
2024-05-11T20:26:53.758488+02:00 XXX systemd[1]: tmp-.mount_Trezorvs9be5.mount: Deactivated successfully.

`

It doesn't seem to be related to apparmor since the last syslog didn't print out DENIED log.

I think the following log shows the main issue,

"2024-05-11T20:26:53.676885+02:00 XXX kernel: traps: trezor-suite[52568] trap int3 ip:56e0121d634a sp:7ffe7f362260 error:0 in trezor-suite[56e00e6d5000+7e39000]"

kernel raised a trap on the process.

Initially I thought the same, however in the original bug comment #3 they experience the same symptoms after fixing the policy.

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/comments/3

Looks like the user namespace has not been created, even with the updated policy.

When I use following workaround, the app starts without problems.
`
sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
`

I just looked at apparmor kernel code real quick and figured out that behavior ain't such a bug since apparmor 4.0. that was planned by apparmor engineers.

So here are some quick ways that you could deal with,

1. turn off "kernel.apparmor_restrict_unprivileged_userns" which you already did.
2. rebuild distro kernel with the following config off, "CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS"

If you want to diable it, the first one would be better because you can configure it at runtime like enable/disable anytime.

*no warranty for any consequences by doing that*

When the Trezor AppImage runs in my machine, it mounts it in a tmp directory and it runs the trezor-suite binary from there, so an AppArmor profile with an attachment on /home/user/opt/Trezor-Suite-24.4.3-linux-x86_64.AppImage wouldn't work.

Since it runs from something like /tmp/.mount_Trezor8oIp6a/trezor-suite, you can try the following profile:

abi <abi/4.0>,
include <tunables/global>

profile trezor-suite /tmp/.mount_Trezor[a-zA-Z0-9]*/trezor-suite flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/trezor-suite>
}