Ubuntu
apparmor package

AppArmor profiles allowing userns not immediately active in 24.04 live image

Bug #2065088 reported by Simon McVittie
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Side issue from <https://github.com/ValveSoftware/steam-for-linux/issues/10843>. I saw this with Steam, but Ubuntu 24.04's AppArmor setup for Steam is quite simple, so I suspect that the same thing might happen for any of the other third-party software that needs an AppArmor profile for <https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844>.

Steps to reproduce:

1. Boot an Ubuntu 24.04 live image, in a virtual machine with lots of RAM (I gave it 8G) so that it will have enough space on the root tmpfs to install Steam. Using Debian 12's libvirt and qemu, I found that virtio graphics didn't work, and used qxl as a workaround.
2. When prompted, choose a keyboard layout etc., and choose to "Try Ubuntu" rather than "Install Ubuntu".
3. Open a terminal
4. sudo dpkg --add-architecture i386
5. sudo apt update
6. sudo apt install steam (in this case steam is a transitional package with a dependency on steam-installer, both at version 1:1.0.0.79~ds-2)
7. steam
8. See a prompt warning me that Steam is proprietary binary-only software. Choose Install.
9. See a light grey progress bar "Steam setup / Updating Steam runtime environment...". Wait.
10. See a dark grey progress bar "Steam / Updating Steam... Downloading update (xxx of 465,450 KB)...". Wait.
11. Dark grey progress bar becomes "Steam / Updating Steam... Extracting package...". Wait.
12. Output in terminal shows "Restarting Steam by request...". Wait.

Expected result:

- /etc/apparmor.d/steam allows Steam to create new user namespaces, etc.
- Steam starts successfully

Actual result:

- A dialog box with "Error / Steam now requires user namespaces to be enabled"
- Audit log: apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=... comm="srt-bwrap" requested="userns_create" denied="userns_create" target="unprivileged_userns"

Workaround:

- Force Ubuntu's AppArmor profile for Steam to be reloaded: sudo apparmor_parser -Tr /etc/apparmor.d/steam
- Run steam again

Revision history for this message
Simon McVittie (smcv) wrote :

Installing from Valve's official steam-launcher .deb package runs into the same problem. The same workaround works.

1. Boot an Ubuntu 24.04 live image, in a virtual machine with lots of RAM (I gave it 8G) so that it will have enough space on the root tmpfs to install Steam. Using Debian 12's libvirt and qemu, I found that virtio graphics didn't work, and used qxl as a workaround.
2. When prompted, choose a keyboard layout etc., and choose to "Try Ubuntu" rather than "Install Ubuntu".
3. Open a terminal
5. sudo apt update
4. Copy steam_latest.deb or steam-launcher_*.deb onto the machine somehow: in this test I was evaluating a new release that is not yet public, but I expect the same thing would happen with Valve's official .deb.
6. sudo apt install ./*.deb
7. steam
8. See a light grey progress bar "Steam setup / Updating Steam runtime environment...". Wait.
9. See a dark grey progress bar "Steam / Updating Steam... Downloading update (xxx of 465,450 KB)...". Wait.
10. Dark grey progress bar becomes "Steam / Updating Steam... Extracting package...". Wait.
11. Output in terminal shows "Restarting Steam by request...". Wait.

Expected result: same as in initial report

Actual result: same as in initial report

Revision history for this message
John Johansen (jjohansen) wrote :

sadly yes, the init script has a bail out that stops loading policy on the live cd. We are going to have to investigate this.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
John Johansen (jjohansen) wrote :

s/live cd/live image/

Revision history for this message
Simon McVittie (smcv) wrote :

> sadly yes, the init script has a bail out that stops loading policy on the live cd

So am I understanding this correctly?

- everything in the live environment is effectively `unconfined`, and before 24.04 this increased security exposure (no mitigations for compromised/malicious apps) but could not break functionality (nothing is forbidden by policy, so everything works)

- but since 24.04, `unconfined` has fewer privileges than e.g. `steam` (it cannot create new user namespaces), so the extra security exposure of userns is avoided, but some functionality is missing

This makes the live-image considerably less useful for the purpose I've been using it for: as a clean-slate Ubuntu environment, where all settings that were not manually changed are at their defaults, and hacks/workarounds from one test cannot accidentally leak into other tests.

Revision history for this message
John Johansen (jjohansen) wrote :

Your understanding is mostly correct. There are as best I can tell, 2 exceptions with how things are setup atm

1. If the environment is setup to use early policy load, the init script bailout won't stop that policy from being loaded. But it prevents it from being live updated via systemctl reload apparmor

2. Policy managed external to the apparmor init script is not affected. This basically means policy loaded/managed by
   - virt-manager
   - lxd
   - snapd
   - policy loaded manually by directly calling apparmor_parser

I still need to dig into this more so we can get this fixed. With 24.04 enabling the user namespace restriction by default not having policy loaded can break things so we need to look at the short term immediate fix for 24.04, and then making sure this is fixed proper for 24.10.

The 24.04 fix could be any of 3 different paths
1. just don't enable the user namespace restriction, to avoid the breakage it will cause without policy
2. just load the subset of policy allowing user namespaces. This would address the user namespace restriction breakage while trying to reduce surprises caused by confinement being enabled post release.
3. load all policy.

With the fix coming post release, I doubt we will go for solution 3, but I at least want to run an initial evaluation of doing it.

Revision history for this message
Benoit Lefebvre (timskiduh) wrote :

I have the same problem on fresh install and sudo apt update and upgrade just done after launch. is a critical problem touch same arch linux. people install steam. they close is and never open again. i try different version on application center same problem. steam is on top right corner menu load all option are here but if i clic setting or library nothing happen.

i see i my right bar and fast app appear and disapears.

i a recent problem touch a thousand people. and is right now the problem and need to be fix quick as possible. people cannot use the app. they launch only on the first attempt. after close nothing come back.
thanks to all.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.