Apparmor: New update broke flatpak with `apparmor="DENIED"`

There 3 profiles involved here (probably should be 4), with a call dependency chain of

   flatpak -> bwrap -> bwrap_unpriv

the flatpak profile does not show up in the logs but does end up launching bwrap. The comm is being set by flatpak, and can not be considered reliable for which executable is running for a given entry. The bwrap profile will be recorded for while bwrap code is running, and bwrap_unpriv AND bwrap stacked for the actual keepassxc application.

There are 2 distinct class of failures here

1. Deleted files being re-validated. These have the info="Failed name lookup - deleted dentry". Basically fd delegation is not allowed to by-pass mediation. The files are no longer part of the namespace, and were never validated for access under the current confinement.

2. files that are in the namespace that the application doesn't have permissions to access.

breaking this down by profiles

bwrap:
    l /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211 -> /**, # case 1. target is actually unknown at this point, but likely the same as the following

    l /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini -> /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211, #case 2

unpriv_bwrap:
    l /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211 -> /**, # target again is unknown but like the same as the following

    l /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini -> /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211, # case 2

that bwrap and bwrap_unpriv are attempting to do the same thing, and each once with a deleted file then again with one that exists is extremely interesting. I need to dig into this a little more, to figure out exactly what is going on.

The 2nd entry at first pass should be allowed by the profile, unless it is related to the same syscall that is causing the deleted entry denial, and is do to stacking denying the deleted dentry. If that is the case the question becomes how does the dentry stop being deleted during the single syscall. Like I said further investigation is needed.

Thanks for the initial analysis John, please let me know if you need more info.

As a side note, I use BTRFS - given it's CoW, not sure if it's related to the behaviour observed.

Status changed to 'Confirmed' because the bug affects multiple users.

This issue also affects the steam flatpak.
(ext4 on lvm, not btrfs)

This issue also affects the Telegram flatpak.
(ext4 default, not btrfs)

Here is a straced syscall sequence broken by the bwrap profile:

176 openat(AT_FDCWD, "…/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_64/steam-runtime-sniper/var/tmp-O9I2Q2", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY) = 8
…
176 openat(8, "usr/etc", O_WRONLY|O_CLOEXEC|O_TMPFILE, 0600) = 10
176 fchmod(10, 0600) = 0
176 fallocate(10, 0, 0, 64) = 0
176 write(10, "pcm.!default {\n type pulse\n}\nctl.!default {\n type pulse\n}\n", 64) = 64
176 fchmod(10, 0644) = 0
…
176 linkat(AT_FDCWD, "/proc/self/fd/10", 8, "usr/etc/tmp.xwx1yI", AT_SYMLINK_FOLLOW) = -1 ENOENT (No such file or directory)
176 close(10) = 0

From https://github.com/flathub/com.valvesoftware.Steam/issues/1318#issuecomment-2226807108

Basically, creating an anonymous file with O_TMPFILE and linking it later (for atomicity) is broken.

This breaks the Steam Flatpak.

Regression introduced by this SRU: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672

Please could someone affected confirm that, without any workaround, reverting to the previously published package resolves the issue, and that upgrading back causes it to arise again? Then we can gain some confidence that reverting the update is an appropriate course of action.

It looks like the previously published package version was 4.0.0-beta3-0ubuntu3 and this is the version in the release pocket. In a default installation I believe that only apparmor and libapparmor1 are installed on vanilla Ubuntu. If this the case, you should be able to revert with:

sudo apt install apparmor=4.0.0-beta3-0ubuntu3 libapparmor1=4.0.0-beta3-0ubuntu3

You will be warned about a downgrade, but should receive no other warnings (if you do receive any other warnings I suggest you do not proceed).

To find the definitive list of packages that need downgrading you can run this but you'd need to install the dctrl-tools package first:

grep-status -S apparmor|grep-dctrl -F Status installed -ns Package

Or you can consult /var/log/apt/history.log to understand what exactly was upgraded.

See also bug 2064672 (thanks @g2p!) for details of the testing performed on the package prior to release. It would be helpful if you could participate in that bug to help us improve testing for next time - both in improving our coverage of the QA steps performed, and in validating the eventual fix if we do revert, to help us avoid regressing the package again.

sudo apt install apparmor=4.0.0-beta3-0ubuntu3 libapparmor1=4.0.0-beta3-0ubuntu3 does not fix the issue for me. It leaves me with 2 versions, and can't seem to remove the 4.0.0-beta3-0ubuntu3 version anymore.

```
$ apt show apparmor -a
Package: apparmor
Version: 4.0.1-0ubuntu0.24.04.2
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Debian AppArmor Team <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 3,207 kB
Depends: debconf, debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.38)
Suggests: apparmor-profiles-extra, apparmor-utils
Breaks: apparmor-profiles-extra (<< 1.21), fcitx-data (<< 1:4.2.9.1-1ubuntu2), snapd (<< 2.44.3+20.04~)
Replaces: fcitx-data (<< 1:4.2.9.1-1ubuntu2)
Homepage: https://apparmor.net/
Task: cloud-minimal, standard, server-minimal, ubuntu-wsl
Download-Size: 641 kB
APT-Manual-Installed: no
APT-Sources: http://se.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
Description: user-space parser utility for AppArmor
 apparmor provides the system initialization scripts needed to use the
 AppArmor Mandatory Access Control system, including the AppArmor Parser
 which is required to convert AppArmor text profiles into machine-readable
 policies that are loaded into the kernel for use with the AppArmor Linux
 Security Module.

Package: apparmor
Version: 4.0.0-beta3-0ubuntu3
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Debian AppArmor Team <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 3,174 kB
Depends: debconf, lsb-base, debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.38)
Suggests: apparmor-profiles-extra, apparmor-utils
Breaks: apparmor-profiles-extra (<< 1.21), fcitx-data (<< 1:4.2.9.1-1ubuntu2), snapd (<< 2.44.3+20.04~)
Replaces: fcitx-data (<< 1:4.2.9.1-1ubuntu2)
Homepage: https://apparmor.net/
Task: cloud-minimal, standard, server-minimal, ubuntu-wsl
Download-Size: 637 kB
APT-Sources: http://se.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: user-space parser utility for AppArmor
 apparmor provides the system initialization scripts needed to use the
 AppArmor Mandatory Access Control system, including the AppArmor Parser
 which is required to convert AppArmor text profiles into machine-readable
 policies that are loaded into the kernel for use with the AppArmor Linux
 Security Module.

```

'apt show -a' shows you all available versions apt knows about, it does not tell you what's installed. You want 'dpkg -l apparmor' (or 'apt policy apparmor').

Not sure the downgrade touches this file.

After sudo apt install apparmor=4.0.0-beta3-0ubuntu3 libapparmor1=4.0.0-beta3-0ubuntu3 and reboot:
(flatpak not working)

$ apt policy apparmor
apparmor:
  Installed: 4.0.0-beta3-0ubuntu3
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
     4.0.1-0ubuntu0.24.04.2 500
        500 http://se.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
 *** 4.0.0-beta3-0ubuntu3 500
        500 http://se.archive.ubuntu.com/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status

shasum /etc/apparmor.d/bwrap-userns-restrict
a9bc3009905641ccaf5dfbe2c7a99b2410d05022 /etc/apparmor.d/bwrap-userns-restrict

$ sudo apt install apparmor libapparmor1
...
$ shasum /etc/apparmor.d/bwrap-userns-restrict
a9bc3009905641ccaf5dfbe2c7a99b2410d05022 /etc/apparmor.d/bwrap-userns-restrict
$ apt policy apparmor
apparmor:
  Installed: 4.0.1-0ubuntu0.24.04.2
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
 *** 4.0.1-0ubuntu0.24.04.2 500
        500 http://se.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://se.archive.ubuntu.com/ubuntu noble/main amd64 Packages

$ apt-file search /etc/apparmor.d/bwrap-userns-restrict
apparmor: /etc/apparmor.d/bwrap-userns-restrict

Entry in /var/log/apt/history.log that seems to have broken flatpak:

Start-Date: 2024-07-13 20:57:49
Commandline: aptdaemon role='role-commit-packages' sender=':1.122'
Upgrade: apparmor:amd64 (4.0.0-beta3-0ubuntu3, 4.0.1-0ubuntu0.24.04.2), libapparmor1:amd64 (4.0.0-beta3-0ubuntu3, 4.0.1-0ubuntu0.24.04.2)
End-Date: 2024-07-13 20:57:53

I also have a computer not yet updated (still on 4.0.0-beta3-0ubuntu3) and /etc/apparmor.d/bwrap-userns-restrict does not exist on that computer.

downgrading and removing /etc/apparmor.d/bwrap-userns-restrict fixes the issue, but then again so does just disabling bwrap-userns-restrict. upgrading back to 4.0.1-0ubuntu0.24.04.2 does not create bwrap-userns-restrict again even though dpkg-query -L apparmor lists the file. I'm not familiar enough with apt/dpkg if this is expected behaviour but tested upgrading my other comp and bwrap-userns-restrict was created.

Thanks. I think I understand the cause and am preparing what I think should resolve it.

For a future code review, here are the binary debdiffs of the regressing SRU for amd64. I used this to gain some confidence that the conffile changes in the apparmor binary package are the only changes that need special handling.

I've prepared a reverting package update for testing but I've not tested it myself yet because I'm waiting the PPA publisher. It may contain mistakes. When publishing is done it'll be available at ppa:racb/experimental3. However it's late here and I don't know when (or if) the publisher will publish, so I'll unassign myself for now. Other developers should feel free to take over.

It did eventually get published and a quick test suggests that it works. @bounty-zonal0a you would need to upgrade back to 4.0.1-0ubuntu0.24.04.2, *restore* /etc/apparmor.d/bwrap-userns-restrict and then upgrade again if you want to test. The proposed revert package should drop the file again (properly).

I would like some more testing and review to happen on my 4.0.1really4.0.0-beta3-0ubuntu1~ppa1 and perhaps the version should be 4.0.1really4.0.0-beta3-0ubuntu0.1 instead, but apart from that as far as I'm aware this should be the minimal revert. Since the "really" version and rm_conffile are unusual I'd appreciate review from those able.

Due to the "really" version bump, Oracular will also require a bump before it is released, unless a 4.0.2 or similar upload happens in Oracular first. Setting tasks accordingly.

@racb Your updated ppa package makes flatpak apps work again, but only after a reboot.

Suggest either replacing bwrap-userns-restrict with an empty file (dpkg scripts will then reload it) or running `apparmor_parser -R /etc/apparmor.d/bwrap-userns-restrict` in .prerm

Thank you for testing!

> but only after a reboot

Understood, but fixing that involves removing a profile and unconfining its corresponding binary, which could be dangerous. We'd have to ensure that the user didn't have it installed for some other reason, etc. On balance, and to get the revert out quicker, I think it's reasonable to need a reboot. This will only affect users already affected. Fresh installs should never upgrade to the bad package, so once the revert is released nobody new should be affected after that point.

Hello klo, or anyone else affected,

Accepted apparmor into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/4.0.1really4.0.0-beta3-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

> N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

We will waive the usual testing period, but still will need to do some testing. Reports from anyone affected appreciated!

Note that I amended the version in my PPA so this one is lower. If you tested from my PPA you'll need to force "downgrade" to this one. Sorry about that, but I thought it'd be better to get this clean for the official version over maintaining the upgrade path from my PPA.

All autopkgtests for the newly accepted apparmor (4.0.1really4.0.0-beta3-0ubuntu0.1) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

adsys/0.14.1build1 (arm64)
libreoffice/4:24.2.4-0ubuntu0.24.04.2 (s390x)
rsyslog/8.2312.0-3ubuntu9 (arm64)
stress-ng/unknown (armhf)
sudo/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#apparmor

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

For information, this also breaks nextcloud client: com.nextcloud.desktopclient.nextcloud

@Robie Basak (racb), thanks for the fix - seems to work for me:

1. Re-enabled the original profile
2. Enabled proposed repo
3. Installed updated apparmor version (4.0.1really4.0.0-beta3-0ubuntu0.1)
4. Reboot
5. Test KeepPassXC, Ksnip - can save again

p.s. I no longer see 'bwrap' under /etc/apparmor.d (`grep -ir bwrap /etc/apparmor.d`)

Details of install and test:

```
# Enable proposed

cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

cat <<EOF >/etc/apt/preferences.d/proposed-updates
# Configure apt to allow selective installs of packages from proposed
Package: *
Pin: release a=$(lsb_release -cs)-proposed
Pin-Priority: 400
EOF

# Re-enable brwap profile

aa-enforce /usr/bin/bwrap

# Install fix

root@ubuntu2404:/etc/apt/sources.list.d# apt install apparmor/noble-proposed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Selected version '4.0.1really4.0.0-beta3-0ubuntu0.1' (Ubuntu:24.04/noble-proposed [amd64]) for 'apparmor'
Suggested packages:
  apparmor-profiles-extra
The following packages will be upgraded:
  apparmor
1 upgraded, 0 newly installed, 0 to remove and 28 not upgraded.
Need to get 638 kB of archives.
After this operation, 32.8 kB disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 apparmor amd64 4.0.1really4.0.0-beta3-0ubuntu0.1 [638 kB]
Fetched 638 kB in 2s (352 kB/s)
Preconfiguring packages ...
(Reading database ... 217302 files and directories currently installed.)
Preparing to unpack .../apparmor_4.0.1really4.0.0-beta3-0ubuntu0.1_amd64.deb ...
Unpacking apparmor (4.0.1really4.0.0-beta3-0ubuntu0.1) over (4.0.1-0ubuntu0.24.04.2) ...
Setting up apparmor (4.0.1really4.0.0-beta3-0ubuntu0.1) ...
Installing new version of config file /etc/apparmor.d/abstractions/authentication ...
Installing new version of config file /etc/apparmor.d/abstractions/samba ...
Installing new version of config file /etc/apparmor.d/firefox ...
Removing obsolete conffile /etc/apparmor.d/abstractions/transmission-common ...
Removing obsolete conffile /etc/apparmor.d/balena-etcher ...
Removing obsolete conffile /etc/apparmor.d/bwrap-userns-restrict ...
Removing obsolete conffile /etc/apparmor.d/foliate ...
Removing obsolete conffile /etc/apparmor.d/transmission ...
Removing obsolete conffile /etc/apparmor.d/wike ...
Reloading AppArmor profiles
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 63): Caching disabled for: 'usr.sbin.sssd' due to force complain
Processing triggers for man-db (2.12.0-4build2) ...

reboot

# Run KeePassXC, no more error 🙂
flatpak run org.keepassxc.KeePassXC
```

I've arrived here from https://github.com/telegramdesktop/tdesktop/issues/28156 after experiencing the issue with telegram.

I installed the fix from proposed.

The problem is solved: now telegram works.

@Robie Basak:

I ran QRT and the tests passed:

georgia@ubuntu:~/qrt-test-apparmor$ sudo ./install-packages test-apparmor.py
georgia@ubuntu:~/qrt-test-apparmor$ sudo ./test-apparmor.py
...
----------------------------------------------------------------------
Ran 62 tests in 1974.585s

OK (skipped=3)
georgia@ubuntu:~/qrt-test-apparmor$ uname -a
Linux ubuntu 6.8.0-36-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 10 10:49:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
georgia@ubuntu:~/qrt-test-apparmor$ apt policy apparmor
apparmor:
  Installed: 4.0.1really4.0.0-beta3-0ubuntu0.1
  Candidate: 4.0.1really4.0.0-beta3-0ubuntu0.1
  Version table:
 *** 4.0.1really4.0.0-beta3-0ubuntu0.1 100
        100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.0.1-0ubuntu0.24.04.2 500
        500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
     4.0.0-beta3-0ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages

I have run through QRT tests as well, same results as @georgia in #28

In addition I have tested a couple flatpaks, steam (snap, and non-snap) has NOT been tested yet, but I will have that one soon.

steam (non-snap) works, interface is brought up and can launch a game known to trigger pressure vessel and bwrap.

steam snap is broken. The interface is brought up, but the games I have tried can not launch. The failure however does not appear to be related to the revert.It is not bwrap related but profile permissions related to the permissions for the specific games. Specifically the bind mount of the old root to the new root. The SRU and the revert have no changes that should affect the mount mediation.

Thank you! I'll release the revert now then.

FTR:

The pending-sru report still shows autopkgtests as outstanding, but most passed on retry - the report is just out of date. Normally I'd wait, but on this occasion I think releasing the revert is on the more important side of the trade-off of me having missed something.

The libreoffice dep8 test failed to run twice and is still running, but there's no indication of a failure, so again on balance I think it makes sense not to wait, and jjohansen agreed with me on that in #ubuntu-release.

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package apparmor - 4.0.1really4.0.0-beta3-0ubuntu0.1

---------------
apparmor (4.0.1really4.0.0-beta3-0ubuntu0.1) noble; urgency=medium

  * Due to regression, revert changes in previous update back to a
    source tree equivalent to 4.0.0-beta3-0ubuntu3 (LP: #2072811).
  * This drops /etc/apparmor.d/bwrap-userns-restrict, allowing various
    Flatpak apps to save files again.
  * d/apparmor.maintscript: rm_conffile on the following in
    /etc/apparmor.d/ to properly revert conffiles introduced in the
    update being reverted:
    - abstractions/transmission-common
    - balena-etcher
    - bwrap-userns-restrict
    - foliate
    - transmission
    - wike

 -- Robie Basak <email address hidden> Sun, 14 Jul 2024 22:25:31 +0000

Here's my proposed fix for oracular. It disables the bwrap profile so we can do further tests. As was done on noble, it does require a reboot.
It's also available on this ppa: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu2

@Georgia is the final fix for Oracular are you planning on a further upload? Because 4.0.1-ubuntu2 is lower than the emergency fix for Noble (4.0.1really4.0.0-beta3-0ubuntu0.1), and before Oracular is released we need the package version to be higher than the one in Noble so as not to break upgrades.

@Robie: define final. Right now this is for testing. Once testing is done and if everything looks good then we will revise the version. The plan was to go with an epoc version similar to 4.0.1really4.0.0-beta3-0ubuntu0.1 (suggestions welcome), and didn't want to use/burn those until we are sure this is the final version. We will kill off the epoc version with the 4.0.2 release (coming soon) asap.

Sure that's fine thanks. I just wanted to make sure that this doesn't get missed but unfortunately we don't have a mechanism for ensuring it. Given that Noble has to have the "really" anyway, I would get the ordering into Oracular resolved as soon as possible to avoid any accidents - I don't see any harm in doing it sooner rather than later by taking the earlier upload opportunity. But if you want to defer until later I don't have any objection as long as you do ensure it's done before Oracular's release, and it sounds like you have a plan for that already :)

I suggest 4.0.1really4.0.0-beta3-0ubuntu1, 4.0.1really4.0.0-beta3-0ubuntu2 etc until you have an upstream version bump. Essentially retaining this "4.0.1really" prefix while it is necessary but the rest of the version string continuing as it would normally.

The attachment "apparmor_4.0.1-0ubuntu2.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

This bug was fixed in the package apparmor - 4.0.1really4.0.1-0ubuntu2

---------------
apparmor (4.0.1really4.0.1-0ubuntu2) oracular; urgency=medium

  * Drop patch that enables bwrap profile
  - d/p/u/enable-bwrap-profile.patch (LP: #2072811)
  * d/apparmor.install
    - remove bwrap-userns-restrict
  * d/apparmor.maintscript: rm_conffile of bwrap-userns-restrict in
    /etc/apparmor.d/ to properly revert conffiles introduced in
    4.0.1-0ubuntu1
  * d/apparmor-profiles.install
    - install new profile
      - bwrap-userns-restrict
  * Drop patch that moves wike profile from apparmor to apparmor.d so it's
  done by d/apparmor.install. The patch caused a warning from dpkg-source
  because it didn't contain a diff
  * d/apparmor.install
    - install new profile
      - wike - changed installation from apparmor to apparmor.d
  * Add patches that fix regression tests when they run on a mounted /tmp
    in tmpfs
    - d/p/u/tests-refactor-logic-that-makes-mntpoint-private-for.patch
    - d/p/u/tests-remount-tmpdir-as-private-instead-of.patch
    - d/p/u/tests-enable-swap-test-when-tmp-is-tmpfs.patch
    - d/p/u/test-detect-if-setuid-environ-test-in-running-under-.patch

 -- Georgia Garcia <email address hidden> Tue, 16 Jul 2024 14:33:39 -0300

electron apps could be started with --no-sandbox with executableArgs = ["no-sandbox"] in build mode for AppImage or Snap https://www.electron.build/configuration/snap.html .

It is also bug opened on electron https://github.com/electron/electron/issues/41066 with merged patch for detecting such issue on runtime with testing write for such namespaces as PullRequst on Electron.

This change in Ubuntu for Electron is not new and there were some attempts for AppImages for Electron to fix it because Debian and other linuxes has various policies, so was also questions about it and some js npms packages attempts https://github.com/electron-userland/electron-builder/issues/5371.

So issue on Electron is opened and packagers could wait on new Electron release or decide what to do... But require for each app to have own profile is weird way to bureaucratic hell overhead of something not deeply understood.

Hello klo, or anyone else affected,

Accepted apparmor into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/4.0.1really4.0.1-0ubuntu0.24.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted apparmor (4.0.1really4.0.1-0ubuntu0.24.04.3) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

libextractor/unknown (armhf)
libreoffice/4:24.2.5-0ubuntu0.24.04.1 (arm64)
stress-ng/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#apparmor

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Verification completed in bug 2064672

Bug breaks Panwriter on 24.04 and 24.04.1.

Panwriter is _only_ distributed as an Appimage so there's no alternative format.

Running the appimage with `--no-sandbox` does not help.

What got it working for me is this:

`sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0`