I seem to have the same apparmor problem with Chrome under Lubuntu 24.04. From "$ journalctl | grep apparmor | grep chrome" I got info="Userns create restricted - failed to find unprivileged_userns profile" (among other things). And it's been reproduced by another as the following relates.
EDIT: This is all in a live boot environment.
Can anyone help? Much more detail below. And you can email me: <email address hidden>.
Prior Lubuntu versions, I wget'd the latest Chrome deb from Google and installed it via sudo dpkg -i. Usually it worked quite well. Now with Lubuntu 24.04, I downloaded the latest Chrome deb the same way on Apr. 28, 2024, but Chrome's not working.
If I run /usr/bin/google-chrome or /usr/bin/google-chrome-stable:
Meanwhile, $ sudo netstat -antvp shows active connections to multiple IPs associated with Google, presumably because I tried multiple times to get Chrome to launch.
```
$ cat /etc/apparmor.d/chrome
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
Someone else reproduced this, following these steps:
```
1. figured out what version of apparmor contained the fix
2. booted the live image
3. checked that the version of apparmor on the live image was greater than or equal to the version with the fix
4. installed chrome
5. ran chrome on the command line, specifically using the path specified in the apparmor profile
6. got the same error you did
7. checked the logs and i see the error that it can't find the profile
```
Can anyone help? Maybe there's a way for me to pull off the unconfined apparmor workaround?
I seem to have the same apparmor problem with Chrome under Lubuntu 24.04. From "$ journalctl | grep apparmor | grep chrome" I got info="Userns create restricted - failed to find unprivileged_userns profile" (among other things). And it's been reproduced by another as the following relates.
EDIT: This is all in a live boot environment.
Can anyone help? Much more detail below. And you can email me: <email address hidden>.
Prior Lubuntu versions, I wget'd the latest Chrome deb from Google and installed it via sudo dpkg -i. Usually it worked quite well. Now with Lubuntu 24.04, I downloaded the latest Chrome deb the same way on Apr. 28, 2024, but Chrome's not working.
If I run /usr/bin/ google- chrome or /usr/bin/ google- chrome- stable:
``` 55151:0428/ 224255. 271437: FATAL:credentia ls.cc(127) ] Check failed: . : Permission denied (13)
$ google-chrome
[55151:
Trace/breakpoint trap (core dumped)
```
or
``` chrome- stable 55166:0428/ 224300. 689874: FATAL:credentia ls.cc(127) ] Check failed: . : Permission denied (13)
$ google-
[55166:
Trace/breakpoint trap (core dumped)
```
Meanwhile, $ sudo netstat -antvp shows active connections to multiple IPs associated with Google, presumably because I tried multiple times to get Chrome to launch.
Then,
``` libreoffice. program. oosplash libreoffice. program. senddoc libreoffice. program. soffice. bin libreoffice. program. xpdfimport snapd.snap- confine. real cups-browsed checkpackages toybox usr.sbin.rsyslogd destroychroot tup virtiofsd control- center vivaldi-bin
$ ls /etc/apparmor.d
1password firefox lxc-stop rootlesskit scide usr.bin.redshift
Discord flatpak lxc-unshare rpm signal-desktop usr.bin.tcpdump
MongoDB_Compass force-complain lxc-usernsexec rssguard slack usr.lib.
QtWebEngineProcess geary mmdebstrap rsyslog.d slirp4netns usr.lib.
abi github-desktop msedge runc steam usr.lib.
abstractions goldendict nautilus sbuild stress-ng usr.lib.
brave ipa_verify notepadqq sbuild-abort surfshark usr.lib.
buildah kchmviewer nvidia_modprobe sbuild-adduser systemd-coredump usr.sbin.
busybox keybase obsidian sbuild-apt thunderbird usr.sbin.cupsd
cam lc-compliance opam sbuild-
ch-checkns libcamerify opera sbuild-clean trinity uwsgi-core
ch-run linux-sandbox pageedit sbuild-createchroot tunables vdens
chrome local plasmashell sbuild-
code loupe podman sbuild-distupgrade tuxedo-
crun lsb_release polypane sbuild-hold ubuntu_pro_apt_news vpnns
devhelp lxc-attach privacybrowser sbuild-shell unix-chkpwd wpcom
element-desktop lxc-create qcam sbuild-unhold unprivileged_userns
epiphany lxc-destroy qmapshack sbuild-update userbindmount
evolution lxc-execute qutebrowser sbuild-upgrade usr.bin.man
```
and
``` d/chrome
$ cat /etc/apparmor.
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile chrome /opt/google/ chrome/ chrome flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/chrome>
}
```
This didn't work either:
``` chrome/ chrome 793962: WARNING: chrome_ main_linux. cc(80)] Read channel stable from /opt/google/ chrome/ CHROME_ VERSION_ EXTRA 66808:0429/ 105700. 802212: FATAL:credentia ls.cc(127) ] Check failed: . : Permission denied (13)
$ /opt/google/
[0429/105700.
[66808:
Trace/breakpoint trap (core dumped)
```
Note that I also ran this:
``` 2.824:140) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="snap. chromium. chromedriver" pid=19182 comm="apparmor_ parser" 1.521:200) : apparmor="DENIED" operation= "userns_ create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile= "unconfined" pid=46114 comm="chrome" requested= "userns_ create" denied= "userns_ create" target= "unprivileged_ userns"
$ journalctl | grep apparmor | grep chrome
Apr 28 21:22:42 lubuntu kernel: audit: type=1400 audit(171436456
Apr 28 22:04:11 lubuntu kernel: audit: type=1400 audit(171436705
```
Someone else reproduced this, following these steps:
```
1. figured out what version of apparmor contained the fix
2. booted the live image
3. checked that the version of apparmor on the live image was greater than or equal to the version with the fix
4. installed chrome
5. ran chrome on the command line, specifically using the path specified in the apparmor profile
6. got the same error you did
7. checked the logs and i see the error that it can't find the profile
```
Can anyone help? Maybe there's a way for me to pull off the unconfined apparmor workaround?