Ubuntu
apparmor package

Wike does not run in Ubuntu 24.04 due to apparmor issue

Bug #2060810 reported by Archisman Panigrahi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

Wike (deb package/compiled version) does not run in Ubuntu 24.04 possibly due to some interference between apparmor and webkit.

```
$ wike

(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in /home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied

** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy: Child process exited with code 1
Trace/breakpoint trap
```

A workaround is to create the file `/etc/apparmor.d/wike` with the following contents:
```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile wike /usr/bin/wike flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/wike>
}
```
Then run `sudo systemctl restart apparmor.service`

This is also reported in GitHub for Wike https://github.com/hugolabe/Wike/issues/181

Revision history for this message
Archisman Panigrahi (apandada1) wrote :

In the future, will there be some mechanism for allowing apps to run without adding profiles for each app, like what is happening now?

Revision history for this message
John Johansen (jjohansen) wrote :

There are vague plans, yes. The time line of it has not been scoped, but it would be something akin to what happens on macos when you try to run a downloaded application for the first time and you have to go into their security config to allow it.

The application will still be "confined" but it may not get its own individual profile and share one with others the user has downloaded. The unconfined profile's will also get developed into full profiles. The plan is that unconfined profiles won't be a standard thing but an exception.

Another thing going to happen in the next upload is bwrap gets its own profile. Applications using bwrap might work through the bwrap profile. There will still be cases where they will need their own profile, but the bwrap profile will cover several cases that don't work today. Applications that have already received an unconfined profile will continue to work that way.

Revision history for this message
Archisman Panigrahi (apandada1) wrote (last edit ):

In this case, Wike is installed as a deb, not snap. Why is it confined?

As far as I know, this is not how deb packages worked. Is this a very new decision to confine all the apps even if they are installed via apt?

Revision history for this message
John Johansen (jjohansen) wrote :

More applications will be getting confinement, on an individual level I don't think it will be everything from debs. In this case its because it uses unprivileged user namespaces. Which is now being restricted and treated as a semi-privileged because it gives access to several privileged kernel interfaces. Those privilege kernel interfaces should be in theory safe, but the reality is that they aren't. Unprivileged user namespaces are the first step in almost every kernel exploit chain for the last 7 or so years.

In pwn2own last year 4 of the 5 exploits used unprivileged user namespaces. This year all 4 did, however if you turn the restriction on (present in 23.10 but not enabled by default) everyone one of the exploits are blocked. The current step is far from perfect, but we are working on improving it.

Revision history for this message
Archisman Panigrahi (apandada1) wrote :

Thank you for the quick reply, and the explanation.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.