Ubuntu
apparmor package

Apparmor breaks Joplin Desktop

Bug #2062441 reported by Archisman Panigrahi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Joplin is a FOSS note taking app based on electron, that does not work in Ubuntu 24.04 due to apparmor preventing it from running.

Revision history for this message
Archisman Panigrahi (apandada1) wrote :

Upstream bug report https://github.com/laurent22/joplin/issues/10332

Revision history for this message
John Johansen (jjohansen) wrote :

unfortunately Joplin is only shipped as an appimage for Linux. Which means we can not ship a profile for it by default that will allow it to use capabilities within the unprivileged user namespace that the electron embedded browser is attempting to use.

This means that the user is required to intervene to enable an electron based appimage so that it can be run. Unfortunately for 24.04 this means some manual command line based intervention, instead of using a GUI like on MacOS when a user needs to enable an application downloaded from the internet.

This change is deliberate to increase the security of Ubuntu systems, and while we will work on improving the user experience the requirement to have the user approve applications that are using privileged kernel interfaces there is no plan to revert this change. You can read more about this in the release notes https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890

If you look in the kernel logs, (or dmesg) you will find an message an apparmor message similar to below showing what is causing your issue.

```
$ sudo dmesg | grep "apparmor=\"AUDIT"

[ 85.468352] audit: type=1400 audit(1713509122.843:224): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=3058 comm="@joplinapp-desk" requested="userns_create" target="unprivileged_userns"
```
and
```
$ sudo dmesg | grep DENIED

[ 85.469966] audit: type=1400 audit(1713509122.847:225): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=3065 comm="@joplinapp-desk" capability=21 capname="sys_admin"
```

Unfortunately unprivileged user namespaces are using privileged kernel interfaces (above protected by capabiity sys_admin) that have now been restricted to known applications because they have been used in a lot of exploit chains.

you can add a profile for the application by copying the profile from below into /etc/apparmor.d/ and then updating by replacing ```/home/jj/Downloads/Joplin-2.14.20.AppImage``` with the location you are running your joplin appimage from.

```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile joplin /home/jj/Downloads/Joplin-2.14.20.AppImage flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/firefox>
}
```

Once that is done you can do
```
$ sudo apparmor_parser -r /etc/apparmor.d/joplin
```

that will allow you to run joplin without having to reboot. Having the jplin profile in /etc/apparmor.d/ will ensure it is reloaded if you reboot.

Changed in apparmor (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.