Ubuntu
remmina package

apparmor prevents access to saved Remmina sessions

Bug #2106675 reported by David R. Hedges on 2025-04-09

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	In Progress	Undecided	Unassigned
	remmina (Ubuntu)	Triaged	Undecided	Unassigned

Bug Description

After upgrading to 25.04 (beta), my saved connections / target computers in Remmina were gone. Where previously I had several saved connection entries, there were none.

I modified /etc/apparmor.d/remmina to run with flags=(complain), re-launched, and all my saved connections were back.

Subsequently running aa-logprof suggested the following additions:
include <abstractions/bash>
include <abstractions/dbus-session>
/etc/debian_version r,
/etc/lsb-release r,
/usr/bin/dash ix,
/usr/bin/lsb_release mrix,
/usr/bin/python3.13 mrix,
@{etc_ro}/fstab r,
owner @{HOME}/.remmina/ r,
owner @{HOME}/.remmina/* r,

(I replaced /home/*/ with ${HOME}.)

It seems likely it's possible to avoid the dbus-session include (I see dbus-session-strict was already present), but there were many manual rules it was requesting without that, and I don't know enough about remmina, apparmor, or dbus to offer useful input there.

It seems quite possible that only the @{HOME}/.remmina/(*) rules are needed to fix this, but the numerous complaints about accesses to DBus.Properties /org/freedesktop/secrets/collection/login/... paths seems like this rule [ dbus (send) bus=session path="/org/freedesktop/secrets/collection/login" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=unconfined), ] might not be working as expected, and I'm suspicious they're related to loading these saved connections.

Please give us some details about the systems you are using:
* Client (OS name and version): Ubuntu 25.04 Plucky Puffin (development branch), amd64
* Remmina version (remmina --version): org.remmina.Remmina - 1.4.39 (git n/a) (dpkg: 1.4.39+dfsg-1)
* Desktop environment (GNOME, Unity, KDE, ..): Gnome

Tags:

Revision history for this message

David R. Hedges (p14nd4) wrote on 2025-04-10:

remmina-apparmor.patch Edit (3.3 KiB, text/plain)

Additionally, this directive breaks use of ssh keys / keyring:
include <abstractions/private-files-strict>

I replaced it with:
include <abstractions/private-files>
owner @{run}/user/@{uid}/keyring/ssh rw,

And updated the ${HOME}/.ssh line:
owner @{HOME}/.ssh/{config,known_hosts,id_*} r,

A full patch is attached that seems to get things working for me. A few apparmor failures remain that I didn't include (and possibly more that would be hit if these were allowed):
execute: /usr/bin/lsb_release, /usr/bin/python3.13, /usr/bin/bash
dbus send (all would be covered by include <abstractions/dbus-session>): /org/gtk/Settings (org.freedesktop.DBus.Properties), /StatusNotifierWatcher (org.freedesktop.DBus.Introspectable), /org/a11y/bus (org.a11y.Bus)
file: /etc/timezone, /etc/lsb-release, /etc/debian_version

Revision history for this message

Launchpad Janitor (janitor) wrote on 2025-04-13:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in remmina (Ubuntu):
status:	New → Confirmed

Revision history for this message

Serge (sspapilin) wrote on 2025-05-30:

Probably related:

https://askubuntu.com/questions/1546857/problem-getting-remmina-1-4-39-working-on-new-install-of-ubuntu-25-04

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2025-05-30:

The attachment "remmina-apparmor.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2025-06-02:

I'm adding a remmina task for people searching for this issue, but this issue can only be fixed in apparmor which provides /etc/apparmor.d/remmina

affects:	remmina (Ubuntu) → apparmor (Ubuntu)
summary:	- apparmor prevents access to saved sessions + apparmor prevents access to saved Remmina sessions
Changed in remmina (Ubuntu):
status:	New → Triaged

Revision history for this message

Ryan Lee (rlee287) wrote on 2025-06-02:

We have received multiple reports of remmina breakage caused by an incomplete AppArmor profile, and we are planning to pull the profile from Plucky entirely. Please see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107723 and https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110236 for more information.