[SRU] error: Failed to install org.gnome.Platform: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-4EB3B3/org.gnome.Platform-EM6KC3: Child process exited with code 1

also to mention i am testing ubuntu 25.10

Status changed to 'Confirmed' because the bug affects multiple users.

Yes, this is a problem with 25.10. See the tail end of this Github issue for more details: https://github.com/flatpak/flatpak/issues/4051

Temporary workaround to be able to use flatpaks on 25.10 is to disable the Apparmor profile for fusermount3:

$ sudo ln -s /etc/apparmor.d/fusermount3 /etc/apparmor.d/disable/
$ sudo apparmor_parser -R /etc/apparmor.d/fusermount3

To later re-enable the profile (once the bug is fixed):
$ sudo rm /etc/apparmor.d/disable/fusermount3
$ cat /etc/apparmor.d/fusermount3 | sudo apparmor_parser -a

Could you please attach example AppArmor logs to the bug report?

I've attached the syslog from attempting to install the "streamcontroller" flatpak via gnome-software.

Additionaly and maybe with less noise, here's the syslog from running "flatpak install streamcontroller"

Status changed to 'Confirmed' because the bug affects multiple users.

Note sure if it's precisely the correct approach however I fixed it with a modification to /etc/apparmor.d/fusermount3:
11,13d10
< capability dac_override,
< capability setuid,
< /run/mount/utab.lock rwk,

Those would be the rules addable to silence the denials, though they should go into /etc/apparmor.d/local/fusermount3 in order to enable /etc/apparmor.d/fusermount3 to be updateable without manual intervention.

However, I am reluctant to grant fusermount3 CAP_DAC_OVERRIDE and CAP_SETUID. Can you test whether adding just the utab.lock rule is enough to make flatpack work again, or are the capabilities also needed?

Ok, I've tried it with only this change to /etc/apparmor.d/fusermount3 and Flatpak is working:

root@cube:/etc/apparmor.d# diff fusermount3 ~/fusermount3
11d10
< /run/mount/utab.lock rwk,

The Logs are:

Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.690:299): apparmor="DENIED" operation="capable" class="cap" profile="fusermount3" pid=110534 comm="fusermount3" capability=1 capname="dac_override"
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.690:300): apparmor="DENIED" operation="capable" class="cap" profile="fusermount3" pid=110534 comm="fusermount3" capability=7 capname="setuid"
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.690:301): apparmor="DENIED" operation="capable" class="cap" profile="fusermount3" pid=110535 comm="fusermount3" capability=7 capname="setuid"
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.813:302): apparmor="DENIED" operation="capable" class="cap" profile="fusermount3" pid=110546 comm="fusermount3" capability=1 capname="dac_override"
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.813:303): apparmor="DENIED" operation="capable" class="cap" profile="fusermount3" pid=110546 comm="fusermount3" capability=7 capname="setuid"
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.813:304): apparmor="DENIED" operation="capable" class="cap" profile="fusermount3" pid=110547 comm="fusermount3" capability=7 capname="setuid"
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.814:305): apparmor="DENIED" operation="mknod" class="file" profile="fusermount3" name="/run/mount/utab.act" pid=110547 comm="umount" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.814:306): apparmor="DENIED" operation="open" class="file" profile="fusermount3" name="/run/mount/utab" pid=110547 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.814:307): apparmor="DENIED" operation="open" class="file" profile="fusermount3" name="/run/mount/utab.event" pid=110547 comm="umount" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Sep 27 07:45:38 cube kernel: audit: type=1400 audit(1758923138.936:308): apparmor="DENIED" operation="capable" class="cap" profile="fusermount3" pid=110557 comm="fusermount3" capability=1 capname="dac_override"

Can you be more specific about the diff? My line 11 is blank:

01: abi <abi/4.0>,
02: include <tunables/global>
03:
04: @{fuse_types} = {fuse,fuse.*,fuseblk,fusectl}
05: profile fusermount3 /usr/bin/fusermount3 {
06: include <abstractions/base>
07: include <abstractions/nameservice>
08:
09: capability sys_admin,
10: capability dac_read_search,
11:
12: # Allow both rw and ro type mounts (e.g. AppImage uses ro)
13: #MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW
14: # Below broad mount flags should be revisited once we have rule delegation
... etc

Ultimately I have no files containing `/run/mount/utab.lock rwk,`
I also notice I don't have the `capability` lines for `dac_override` or `setuid`

What does work for me is installing fuse=3.14.0-10 & fuse3=3.14.0-10 from Plucky and then holding the packages.

Sorry, Line 11 is:

 /run/mount/utab.lock rwk,

Thanks Gavin, that's the way I read it.

Looks like your diff is backwards - it shows that the line is deleted, but I didn't have the line to delete!

After adding the line and reloading, that does indeed resolve it.

Based on the log in comment 12, you'll also need

/run/mount/utab r, # I'd guess rw, but you can try r only and check the log again
/run/mount/utab.act w,
/run/mount/utab.event w,

Also, according to this log, fusermount3 (actually umount, see comm=) runs as root, so granting capability setuid, might make sense to allow it to switch to a less-privileged user.

After upgrading to 25.10 flatpack software updates are broken

Warning: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-PCJCE3/org.telegram.desktop-K7PFE3: Child process exited with code 1
Warning: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-PCJCE3/org.telegram.desktop-K7PFE3: Child process exited with code 1

(flatpak update:6103): GLib-CRITICAL **: 21:59:35.042: g_propagate_error: assertion 'src != NULL' failed

(flatpak update:6103): GLib-CRITICAL **: 21:59:35.043: g_error_copy: assertion 'error != NULL' failed

(flatpak update:6103): GLib-CRITICAL **: 21:59:35.043: g_propagate_error: assertion 'src != NULL' failed
**
GLib:ERROR:../../../glib/gerror.c:681:g_propagate_prefixed_error: assertion failed: (*dest != NULL)
Bail out! GLib:ERROR:../../../glib/gerror.c:681:g_propagate_prefixed_error: assertion failed: (*dest != NULL)
Aborted (core dumped)

Am I right in understanding that apparmor in Questing has started to ship a profile for fusermount3, which it didn't in Plucky, and this completely breaks Flatpak?

This sounds like "Severely affects applications beyond the package responsible for the root cause" and Importance: Critical is justified then.

I don't know if there is time to fix this before release or not, but even if not, Ryan please could you prepare an SRU urgently? I'll also subscribe previous sponsors of this package: this is your responsibility.

Apparmor shipped a profile for fusermount3 in Plucky as well, and it's strange that this issue is only manifesting in Questing rather than Plucky.

Regardless, I'll get an SRU ready ASAP.

Indeed the fusermount3 profile shipped in plucky as well. Here is a diff:

--- plucky-fusermount3 2025-09-09 21:23:48.000000000 +0000
+++ questing-fusermount3 2025-10-08 23:59:13.134538037 +0000
@@ -11,6 +11,7 @@

   # Allow both rw and ro type mounts (e.g. AppImage uses ro)
   #MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW
+ # Below broad mount flags should be revisited once we have rule delegation
   mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{HOME}/**/,
   mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /mnt/{,**/},
   mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{run}/user/@{uid}/**/,
@@ -27,19 +28,26 @@
   umount /cvmfs/**/,

   # Flatpak's default cache directory where it mounts a revokefs-fuse
- # The second revokefs rule cannot be parsed by aa-logprof currently
   mount fstype=fuse options=(nosuid,nodev,rw) /dev/fuse -> /var/tmp/flatpak-cache-*/**/,
   mount fstype=fuse.revokefs-fuse options=(nosuid,nodev,rw) revokefs-fuse -> /var/tmp/flatpak-cache-*/**/,
   umount /var/tmp/flatpak-cache-*/**/,

+ # flatpak-builder uses rofiles-fuse
+ mount fstype=fuse.rofiles-fuse options=(nosuid,nodev,rw) {rofiles-fuse,/dev/fuse} -> /var/tmp/test-flatpak-*/**/,
+ umount /var/tmp/test-flatpak-*/**/,
+
   /dev/fuse rw,

+ # needed since libfuse 3.17.1-rc0 (LP: #2111845)
+ /usr/bin/mount ix,
+ /usr/bin/umount ix,
+
   @{etc_ro}/fuse.conf r,
- @{PROC}/@{pid}/mounts r,
+ @{PROC}/@{pid}/{mounts,mountinfo} r,

- /usr/bin/fusermount3 mr,
+ @{exec_path} mr,

   include if exists <local/fusermount3>
 }

-# vim:syntax=apparmor
+# vim:ft=apparmor

And it's not the first time it needed changes because of flatpak: https://bugs.launchpad.net/bugs/2100295

Going by d/changelog, the fusermount3 profile was first shipped in plucky in https://launchpad.net/ubuntu/+source/apparmor/4.1.0~beta4-0ubuntu3

Thanks Robie and Ryan for working this

I added a release notes entry for this.

I will report this is happening to me but there is a work around. If you don't mind using sudo. Using sudo via the command line to install and update flatpak does work. IE sudo update flatpak or sudo install.

I was thinking that the installs were failing because it's not giving an option to install as user. Everything is being installed to the system if you use sudo.

AppArmor 5.0.0~alpha1-0ubuntu8.1 with a fix has been uploaded to the -unapproved queue and will hopefully start moving through the SRU process soon

Hello Henk, or anyone else affected,

Accepted apparmor into questing-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/5.0.0~alpha1-0ubuntu8.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-questing to verification-done-questing. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-questing. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Works for me, 5.0.0~alpha1-0ubuntu8.1

Tested with the suggestion above:

flatpak install flathub com.github.huluti.Coul
flatpak run com.github.huluti.Coulr

Also updated org.kde.krita and org.kde.krita.Locale without issue.

$ apt policy apparmor
apparmor:
  Installed: 5.0.0~alpha1-0ubuntu8.1
  Candidate: 5.0.0~alpha1-0ubuntu8.1
  Version table:
 *** 5.0.0~alpha1-0ubuntu8.1 100
        100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 Packa>
        100 /var/lib/dpkg/status
     5.0.0~alpha1-0ubuntu8 500
        500 http://archive.ubuntu.com/ubuntu questing/main amd64 Packages

Installed Flatpak according to the official instructions for Ubuntu.

flatpak install flathub com.github.huluti.Coulr succeeded, with the installation of all the layers reporting a success (checkmark) instead of a failure state.

flatpak run com.github.huluti.Coulr also succeeded in launching the application.

Thank you for the verification reports!

Given the severity of the issue I think it might be worth releasing this before waiting for usual seven days, especially as there's lower risk of regressing someone given the release is only just out. The main risk is that an apparmor breaks unrelated things, which could be mitigated by inspecting the binary build to ensure that the profile is the only thing that was changed.

Opinions?

If others could also send verification reports please, that would help increase our confidence and reduce the risk further.

Given the additional rule of not releasing SRUs on Friday or Saturday (and it being Friday in my timezone as I type this), I'd personally consider releasing the SRU on Thursday (a day earlier) instead. I'm personally fine with whatever the SRU team decides on, though.

Verification done here.

- Followed steps in the test plan, but installing stellarium flatpak and runtimes from flathub.
- Without apparmor from proposed the installation of the app and runtimes failed as expected with unmount revokefs-fuse errors on the console.
- With apparmor from proposed all app/runtime installs were successful with no console error messages. The app appears to run and function as expected.

Verification done from Xubuntu. I followed the steps in the test plan, but with the io.github.kolunmi.Bazaar flatpak.

As Rik indicated:

- Without apparmor from proposed the installation of the app and runtimes failed as expected with unmount revokefs-fuse errors on the console.
- With apparmor from proposed all app/runtime installs were successful with no console error messages. The app appears to run and function as expected.

Verification done from my Kubuntu system.

On ARM Ubuntu 25.10 in a VM (UTM), I enabled questing-proposed in Software & Updates, and Software Updater tells me I am up to date (same for `sudo apt update`). I then enabled Flathub using the official instructions and I cannot install qBittorrent in GNOME Software. I do not get any errors, it just fails.

In the CLI:

```
$ flatpak install qbittorrent
[...]
error: Failed to install org.kde.Platform: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-WRO5D3/org.kde.Platform-F3X9D3: Child process exited with code 1
```

Is a fix not available yet for ARM?

# System Details Report
---

## Report details
- **Date generated:** 2025-10-11 16:48:30

## Hardware Information:
- **Hardware Model:** Apple Inc. Apple Virtualization Generic Platform
- **Memory:** 4.0 GiB
- **Processor:** (null) × 6
- **Graphics:** Software Rendering
- **Disk Capacity:** 68.7 GB

## Software Information:
- **Firmware Version:** 2092.0.0.0.0
- **OS Name:** Ubuntu 25.10
- **OS Build:** (null)
- **OS Type:** 64-bit
- **GNOME Version:** 49
- **Windowing System:** Wayland
- **Kernel Version:** Linux 6.17.0-5-generic

Installing the proposed apparmor package resolved the flatpak issue for me in Ubuntu 25.10.

On 11/10/2025 14:46, Osama Albahrani wrote:
> On ARM Ubuntu 25.10 in a VM (UTM), I enabled questing-proposed in
> Software & Updates, and Software Updater tells me I am up to date (same
> for `sudo apt update`). I then enabled Flathub using the official
> instructions and I cannot install qBittorrent in GNOME Software. I do
> not get any errors, it just fails.

You did not install the packages from proposed. The upgrade is not not
automatic any more.

try 'sudo apt install apparmor/questing-proposed
libapparmor1/questing-proposed'

or

'sudo apt-get install apparmor/questing-proposed
libapparmor1/questing-proposed'

Yeah. I get all updates from proposed automagically, but I had to create the file `/etc/apt/preferences.d/questing-proposed` with the follow content:
Package: *
Pin: release a=questing-proposed
Pin-Priority: 500
But I don't care about testing proposed packages soon. Maybe that could be a problem for most users that prefer a stable system instead of me, who like shine things more.

I verify that installing Flatpak qBittorrent in GNOME Software works after running `sudo apt install apparmor/questing-proposed libapparmor1/questing-proposed`.

​I have applied the AppArmor patch version 5.0.0~alpha1-0ubuntu8.1 from the proposed repository and confirmed the primary bug is resolved.

​What is Fixed
​The critical issue where Flatpak installations failed due to a fusermount3 unmounting error is now fixed. Flatpak installation proceeds successfully.

​What is Not Fixed
​After applying the patch, I reviewed the system logs. Despite the successful installation of flatpaks, the following issues are noted:

​The system kernel log (dmesg) still reports AppArmor DENIED messages for the fusermount3 profile, specifically regarding capabilities access (dac_override and setuid). These denials were observed independently after the patch was applied.

​Attached Files
​I am attaching the following file for review:
​
dmesg-DENIED-was-run-after-applying-patch.txt: Contains the persistent AppArmor denial messages that require examination.

Can confirm in the patch does work but am seeing the same apparmor errors in logs that previous commenter mentions

When will this fix be released? Can confirm that the fix works on my Ubuntu server + kde-full install.

This bug was fixed in the package apparmor - 5.0.0~alpha1-0ubuntu8.1

---------------
apparmor (5.0.0~alpha1-0ubuntu8.1) questing; urgency=medium

  * Add patch to fix Flatpak breakage caused by fusermount3 denials
    (LP: #2122161):
    - d/p/u/profiles-add-rules-to-fix-flatpaks-with-fuse3-17.patch

 -- Ryan Lee <email address hidden> Thu, 09 Oct 2025 10:44:07 -0700

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Confirmed!

After installs package proposed, Flatpak apps can be installed using Discover.

This bug was fixed in the package apparmor - 5.0.0~alpha1-0ubuntu8.1

---------------
apparmor (5.0.0~alpha1-0ubuntu8.1) questing; urgency=medium

  * Add patch to fix Flatpak breakage caused by fusermount3 denials
    (LP: #2122161):
    - d/p/u/profiles-add-rules-to-fix-flatpaks-with-fuse3-17.patch

 -- Ryan Lee <email address hidden> Thu, 09 Oct 2025 10:44:07 -0700

Please check whether this fix is also covering https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2129704

These two bugs are unrelated, and we are still investigating what is going on with https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2129704 .