Ubuntu
apparmor package

apparmor breaks surfshark vpn

Bug #2046624 reported by Rick S
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

with the new apparmor Candidate: 4.0.0~alpha2-0ubuntu7
Breaks my VPN

   *surfshark
[33104:1216/072144.904027:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13)
Trace/breakpoint trap

It will work with --no-sandbox "surfshark --no-sandbox" not ideal.
I removed apparmor for proof

*apt policy apparmor
apparmor:
  Installed: (none)
  Candidate: 4.0.0~alpha2-0ubuntu7
  Version table:
     4.0.0~alpha2-0ubuntu7 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Now my VPN works as expected, spent 2 hrs this morning with surfshark support, they will get back to me in a day or two, but they can't find anything wrong on their end.

So far it points to apparmor

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor (not installed)
ProcVersionSignature: Ubuntu 6.5.0-9.9-generic 6.5.3
Uname: Linux 6.5.0-9-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia zfs
ApportVersion: 2.27.0-0ubuntu6
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: XFCE
Date: Sat Dec 16 10:40:00 2023
InstallationDate: Installed on 2023-12-10 (6 days ago)
InstallationMedia: Xubuntu 24.04 "Noble Numbat" - Daily amd64 (20231127)
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.apport:
 # set this to 0 to disable apport, or to 1 to enable it
 # you can temporarily override this with
 # sudo service apport start force_start=1
 enabled=0
mtime.conffile..etc.default.apport: 2023-12-12T09:43:48.905263

Revision history for this message
Rick S (1fallen) wrote :
Rick S (1fallen)
information type: Private Security → Public Security
Revision history for this message
Rick S (1fallen) wrote :

No apparmor still but i will include
  *grep 'network' /etc/apparmor.d/ab*/*
grep: /etc/apparmor.d/abstractions/base.d: Is a directory
/etc/apparmor.d/abstractions/libvirt-qemu: network inet stream,
/etc/apparmor.d/abstractions/libvirt-qemu: network inet6 stream,
/etc/apparmor.d/abstractions/libvirt-qemu: # support for passt network back-end
grep: /etc/apparmor.d/abstractions/ubuntu-browsers.d: Is a directory

Revision history for this message
Rick S (1fallen) wrote :

With apparmor

   *grep 'network' /etc/apparmor.d/ab*/*
/etc/apparmor.d/abi/3.0:network {af_unix {yes
/etc/apparmor.d/abi/3.0:network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
/etc/apparmor.d/abi/4.0:network {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
/etc/apparmor.d/abi/4.0:network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
/etc/apparmor.d/abi/kernel-5.4-outoftree-network:network {af_unix {yes
/etc/apparmor.d/abstractions/apache2-common: network inet stream,
/etc/apparmor.d/abstractions/apache2-common: network inet6 stream,
grep: /etc/apparmor.d/abstractions/apparmor_api: Is a directory
grep: /etc/apparmor.d/abstractions/base.d: Is a directory
/etc/apparmor.d/abstractions/dbus-network-manager-strict: include if exists <abstractions/dbus-network-manager-strict.d>
/etc/apparmor.d/abstractions/kde-open5: include <abstractions/dbus-network-manager-strict>
/etc/apparmor.d/abstractions/libvirt-qemu: network inet stream,
/etc/apparmor.d/abstractions/libvirt-qemu: network inet6 stream,
/etc/apparmor.d/abstractions/libvirt-qemu: # support for passt network back-end
/etc/apparmor.d/abstractions/nameservice: # to vast speed increases when working with network-based lookups.
/etc/apparmor.d/abstractions/nameservice: # TCP/UDP network access
/etc/apparmor.d/abstractions/nameservice: network inet stream,
/etc/apparmor.d/abstractions/nameservice: network inet6 stream,
/etc/apparmor.d/abstractions/nameservice: network inet dgram,
/etc/apparmor.d/abstractions/nameservice: network inet6 dgram,
/etc/apparmor.d/abstractions/nameservice: network netlink raw,
grep: /etc/apparmor.d/abstractions/ubuntu-browsers.d: Is a directory
/etc/apparmor.d/abstractions/ubuntu-helpers: # Allow all networking
/etc/apparmor.d/abstractions/ubuntu-helpers: network inet,
/etc/apparmor.d/abstractions/ubuntu-helpers: network inet6,

Revision history for this message
Rick S (1fallen) wrote :

aa-status
apparmor module is loaded.
100 profiles are loaded.
31 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /{,usr/}sbin/dhclient
   firefox
   firefox//browser_java
   firefox//browser_openjdk
   firefox//lsb_release
   firefox//sanitized_helper
   firejail-default
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   libvirtd
   libvirtd//qemu_bridge_helper
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   rsyslogd
   swtpm
   tcpdump
   virt-aa-helper
2 profiles are in complain mode.
   libreoffice-oosplash
   libreoffice-soffice
0 profiles are in prompt mode.
0 profiles are in kill mode.
67 profiles are in unconfined mode.
   /bin/toybox
   /opt/brave.com/brave/brave
   /opt/google/chrome/chrome
   /opt/microsoft/msedge/msedge
   /opt/vivaldi/vivaldi-bin
   /usr/bin/buildah
   /usr/bin/busybox
   /usr/bin/cam
   /usr/bin/ch-checkns
   /usr/bin/ch-run
   /usr/bin/crun
   /usr/bin/flatpak
   /usr/bin/ipa_verify
   /usr/bin/lc-compliance
   /usr/bin/libcamerify
   /usr/bin/lxc-attach
   /usr/bin/lxc-create
   /usr/bin/lxc-destroy
   /usr/bin/lxc-execute
   /usr/bin/lxc-stop
   /usr/bin/lxc-unshare
   /usr/bin/lxc-usernsexec
   /usr/bin/mmdebstrap
   /usr/bin/podman
   /usr/bin/qcam
   /usr/bin/rootlesskit
   /usr/bin/rpm
   /usr/bin/sbuild
   /usr/bin/sbuild-abort
   /usr/bin/sbuild-apt
   /usr/bin/sbuild-checkpackages
   /usr/bin/sbuild-clean
   /usr/bin/sbuild-createchroot
   /usr/bin/sbuild-distupgrade
   /usr/bin/sbuild-hold
   /usr/bin/sbuild-shell
   /usr/bin/sbuild-unhold
   /usr/bin/sbuild-update
   /usr/bin/sbuild-upgrade
   /usr/bin/slirp4netns
   /usr/bin/stress-ng
   /usr/bin/thunderbird
   /usr/bin/trinity
   /usr/bin/tup
   /usr/bin/userbindmount
   /usr/bin/uwsgi-core
   /usr/bin/vdens
   /usr/bin/vpnns
   /usr/lib/*-linux-gnu*/qt5/libexec/QtWebEngineProcess
   /usr/lib/qt6/libexec/QtWebEngineProcess
   /usr/libexec/*-linux-gnu*/bazel/linux-sandbox
   /usr/libexec/virtiofsd
   /usr/sbin/runc
   /usr/sbin/sbuild-adduser
   /usr/sbin/sbuild-destroychroot
   1password
   Discord
   MongoDB Compass
   code
   github-desktop
   obsidian
   opera
   polypane
   signal-desktop
   slack
   steam
   wpcom
2 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
2 processes are unconfined but have a profile defined.
   /usr/sbin/cups-browsed (2749)
   /usr/sbin/cupsd (1929)
0 processes are in mixed mode.

Revision history for this message
Rick S (1fallen) wrote :

After reboot with apparmor active

   * systemctl status surfsharkd2.service
● surfsharkd2.service - Surfshark Daemon2
     Loaded: loaded (/lib/systemd/system/surfsharkd2.service; enabled; preset: enabled)
     Active: active (running) since Sat 2023-12-16 13:30:24 MST; 1min 12s ago
   Main PID: 1742 (surfsharkd2.js)
      Tasks: 12 (limit: 18861)
     Memory: 14.0M
        CPU: 156ms
     CGroup: /system.slice/surfsharkd2.service
             └─1742 /usr/bin/gjs /opt/Surfshark/resources/dist/resources/surfsharkd2.js

Dec 16 13:30:24 me-Legion-5-zfs systemd[1]: Started surfsharkd2.service - Surfshark Daem>
┌───────────────────>
│~
└─> surfshark
[5927:1216/133159.791330:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13)
Trace/breakpoint trap

With --no-sandbox

   *surfshark --no-sandbox
[6392:1216/133222.506292:ERROR:object_proxy.cc(590)] Failed to call method: org.freedesktop.portal.Settings.Read: object_path= /org/freedesktop/portal/desktop: org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.Settings” on object at path /org/freedesktop/portal/desktop

Revision history for this message
Rick S (1fallen) wrote :

journalctl -b -1 -g DENIED --no-pager
-- No entries --
┌───────────────────>
│~
└─> journalctl -b -1 -g ALLOWED --no-pager
-- No entries --

Revision history for this message
John Johansen (jjohansen) wrote :

Can you include the output of

sudo dmesg | grep DENIED

Revision history for this message
Rick S (1fallen) wrote :

Here
  *└─> sudo dmesg | grep DENIED
[sudo] password for me:
┌───────────────────>
│~
└─>

Revision history for this message
Christian Boltz (cboltz) wrote :

> with the new apparmor Candidate: 4.0.0~alpha2-0ubuntu7
> DistroRelease: Ubuntu 24.04

This bug smells like a userns issue - programs using userns (often used for sandboxing) now _must have_ an AppArmor profile.

Can you please save the following as /etc/apparmor.d/surfshark? (Adjust the path to surfshark to the real path - /PATH/TO/ is for sure incorrect ;-)

abi <abi/4.0>,
include <tunables/global>

profile surfshark /PATH/TO/surfshark flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/surfshark>
}

Note: If I get comment #5 right, the actual executable might be /usr/bin/gjs. You can use this path in the profile _for testing_, but the real solution is to have a profile specific to surfshark, possibly with AppArmorProfile=surfshark in the systemd unit.

After creating the profile, reload the AppArmor profiles to enable the new profile.

Revision history for this message
Rick S (1fallen) wrote :

sudo aa-status |grep surfshark
   surfshark

will reboot to see

Revision history for this message
Rick S (1fallen) wrote :

Bingo, it worked, and this is new but spot on

*"programs using userns (often used for sandboxing) now _must have_ an AppArmor profile."

**Thanks cboltz :-)

Revision history for this message
John Johansen (jjohansen) wrote :

@1fallen did you can you update this bug with the exact profile you used so we can add it to the set of profiles that is being installed by default.

Revision history for this message
John Johansen (jjohansen) wrote :

Also for others that might find this bug, there is documentation around userns mediation in the apparmor wiki

https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction

Revision history for this message
Rick S (1fallen) wrote :

Sure thing

nano /etc/apparmor.d/surfshark

   *abi <abi/4.0>,
include <tunables/global>

profile surfshark /opt/Surfshark/surfshark flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/surfshark>
}
Reload apparmor and presto.
Reboots are golden

Revision history for this message
Rick S (1fallen) wrote :

@jjohansen that link come in pretty handy.
I will link to it when helping others

Revision history for this message
John Johansen (jjohansen) wrote :

The surfshark profile has been uploaded to the https://launchpad.net/~apparmor-dev/+archive/ubuntu/unprivileged-userns ppa for testing

Revision history for this message
Rick S (1fallen) wrote :

Late for the party, But>>> Verified on KVM install

"Active apt repos in: /etc/apt/sources.list.d/apparmor-dev-ubuntu-unprivileged-userns-noble.sources
    1: deb https://ppa.launchpadcontent.net/apparmor-dev/unprivileged-userns/ubuntu/ noble main
"
And
"sudo aa-status |grep Surfshark*
   /opt/Surfshark/surfshark (2399) surfshark
   /opt/Surfshark/surfshark (2636) surfshark
   /opt/Surfshark/surfshark (2637) surfshark
   /opt/Surfshark/surfshark (2668) surfshark
   /opt/Surfshark/chrome_crashpad_handler (2720) surfshark
   /opt/Surfshark/surfshark (2770) surfshark
   /opt/Surfshark/surfshark (2777) surfshark
   /opt/Surfshark/surfshark (2793) surfshark
"

Revision history for this message
AndreK (andre-k) wrote :

I am unable to connect to surfshrk VPN on a clean installed 24.04
Upgraded installation (23.10->24.04) works fine

My 24.04 already has the file /etc/apparmor.d/surfshark

and I see:
$ sudo aa-status |grep surfshark
[sudo] password for andre:
   surfshark
   /opt/Surfshark/surfshark (3475) surfshark
   /opt/Surfshark/surfshark (3658) surfshark
   /opt/Surfshark/surfshark (3659) surfshark
   /opt/Surfshark/surfshark (3678) surfshark
   /opt/Surfshark/chrome_crashpad_handler (3723) surfshark
   /opt/Surfshark/surfshark (3754) surfshark
   /opt/Surfshark/surfshark (3759) surfshark
   /opt/Surfshark/surfshark (3777) surfshark

- but every connection attempt is very slow, and does not succeed.

Revision history for this message
John Johansen (jjohansen) wrote :

@1fallen: it looks like there is something more going on here, can you check your kernel log / dmesg for apparmor DENIED messages.

eg.

```
  sudo dmesg | grep DENIED
```

Revision history for this message
John Johansen (jjohansen) wrote :

As for upgrade vs. clean install. The unprivileged userns restriction is enabled via a sysctl and upgrading will not enable it by default.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.