I can't seem to get the xattr solution to work. I'm trying it on a normal binary and it's failing like so:
# Contents of /etc/apparmor.d/falkon abi <abi/4.0>, include <tunables/global>
profile falkon xattrs=(security.apparmor=falkon) flags=(unconfined) { userns, include if exists <local/falkon> }
# setfattr command user@user-standardpc:/usr/bin$ sudo setfattr -n security.apparmor -v falkon /usr/bin/falkon
# make sure the attribute is set user@user-standardpc:/usr/bin$ getfattr -n security.apparmor /usr/bin/falkon getfattr: Removing leading '/' from absolute path names # file: usr/bin/falkon security.apparmor="falkon"
# attempt to launch user@user-standardpc:/usr/bin$ /usr/bin/falkon [3967:3967:1220/095728.818079:FATAL:credentials.cc(125)] Check failed: . : Permission denied (13) Trace/breakpoint trap (core dumped)
#checking the logs user@user-standardpc:/usr/bin$ journalctl -n100 ... Dec 20 09:57:28 user-standardpc kernel: audit: type=1400 audit(1703084248.814:826): apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=3967 comm="falkon" requested="userns_create" denied="userns_create" Dec 20 09:57:37 user-standardpc kernel: traps: falkon[3967] trap int3 ip:7f3ae85d7b13 sp:7ffe61e8b700 error:0 in libQt5WebEngineCore.so.5.15.15[7f3ae63b4000+6931000] ...
The solution that involves spelling out the absolute path to the file does work.
I can't seem to get the xattr solution to work. I'm trying it on a normal binary and it's failing like so:
# Contents of /etc/apparmor. d/falkon
abi <abi/4.0>,
include <tunables/global>
profile falkon xattrs= (security. apparmor= falkon) flags=(unconfined) {
userns,
include if exists <local/falkon>
}
# setfattr command standardpc: /usr/bin$ sudo setfattr -n security.apparmor -v falkon /usr/bin/falkon
user@user-
# make sure the attribute is set standardpc: /usr/bin$ getfattr -n security.apparmor /usr/bin/falkon apparmor= "falkon"
user@user-
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/falkon
security.
# attempt to launch standardpc: /usr/bin$ /usr/bin/falkon 1220/095728. 818079: FATAL:credentia ls.cc(125) ] Check failed: . : Permission denied (13)
user@user-
[3967:3967:
Trace/breakpoint trap (core dumped)
#checking the logs standardpc: /usr/bin$ journalctl -n100 8.814:826) : apparmor="DENIED" operation= "userns_ create" class="namespace" info="User namespace creation restricted" error=-13 profile= "unconfined" pid=3967 comm="falkon" requested= "userns_ create" denied= "userns_ create" Core.so. 5.15.15[ 7f3ae63b4000+ 6931000]
user@user-
...
Dec 20 09:57:28 user-standardpc kernel: audit: type=1400 audit(170308424
Dec 20 09:57:37 user-standardpc kernel: traps: falkon[3967] trap int3 ip:7f3ae85d7b13 sp:7ffe61e8b700 error:0 in libQt5WebEngine
...
The solution that involves spelling out the absolute path to the file does work.