Ubuntu
apparmor package

  1. Noble (24.04)
  2. Bug #2072811
  3. Activity log

Activity log for bug #2072811

Date Who What changed Old value New value Message
2024-07-11 23:51:42 klo bug added bug
2024-07-11 23:54:00 klo affects evolution (Ubuntu) apparmor (Ubuntu)
2024-07-11 23:55:04 klo description The recent apparmor update appear to have broken some flatpak's ability to save file, e.g.: - org.keepassxc.KeePassXC - org.ksnip.ksnip It seems update introduced a new profile ("/etc/apparmor.d/bwrap-userns-restrict"), which is causing the issue below. **** To reproduce **** (I'm using KeepassXC as example, but same issue for ksnip): 1. Install and run KeepassXC ```bash flatpak install org.keepassxc.KeePassXC flatpak run org.keepassxc.KeePassXC ``` 2. Got error: "Access error for config file /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" Looking at `journalctl -f`, I see these apparmor DENIED entries: ```txt Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started app-flatpak-org.keepassxc.KeePassXC-4010.scope. Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" ``` **** Workaround **** For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-restrict". ```bash sudo aa-disable /usr/bin/bwrap ``` **** Version info **** $ lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04 LTS Release: 24.04 $ apt-cache policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 Version table: *** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%) 500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages 100 /var/lib/dpkg/status 4.0.0-beta3-0ubuntu3 500 500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages The recent apparmor update appear to have broken some flatpak's ability to save file, e.g.: - org.keepassxc.KeePassXC - org.ksnip.ksnip It seems update introduced a new profile ("/etc/apparmor.d/bwrap-userns-restrict"), which is causing the issue below. **** To reproduce **** (I'm using KeepassXC as example, but same issue for ksnip): 1. Install and run KeepassXC ```bash flatpak install org.keepassxc.KeePassXC flatpak run org.keepassxc.KeePassXC ``` 2. Got error: "Access error for config file /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" Looking at `journalctl -f`, I see these apparmor DENIED entries: ```txt Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started app-flatpak-org.keepassxc.KeePassXC-4010.scope. Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" ``` **** Workaround **** For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-restrict" profile. ```bash sudo aa-disable /usr/bin/bwrap ``` **** Version info **** $ lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04 LTS Release: 24.04 $ apt-cache policy apparmor apparmor:   Installed: 4.0.1-0ubuntu0.24.04.2   Candidate: 4.0.1-0ubuntu0.24.04.2   Version table:  *** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%)         500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages         100 /var/lib/dpkg/status      4.0.0-beta3-0ubuntu3 500         500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages
2024-07-12 10:44:45 Launchpad Janitor apparmor (Ubuntu): status New Confirmed
2024-07-14 10:37:16 Gabriel de Perthuis bug watch added https://github.com/flathub/com.valvesoftware.Steam/issues/1318
2024-07-14 10:40:48 Gabriel de Perthuis tags regression-update
2024-07-14 11:09:22 Sundance bug added subscriber Sundance
2024-07-14 11:09:45 RichardJECooke@protonmail.com bug added subscriber RichardJECooke@protonmail.com
2024-07-14 11:46:09 Jan Hartkopf bug added subscriber Jan Hartkopf
2024-07-14 12:44:30 Stefan Esbjörner bug added subscriber Stefan Esbjörner
2024-07-14 15:23:14 Forage bug added subscriber Forage
2024-07-14 19:16:11 Samuel Moelius bug added subscriber Samuel Moelius
2024-07-14 22:47:06 Robie Basak apparmor (Ubuntu): assignee Robie Basak (racb)
2024-07-14 22:47:15 Robie Basak apparmor (Ubuntu): status Confirmed In Progress
2024-07-14 22:47:29 Robie Basak bug added subscriber Robie Basak
2024-07-14 22:49:52 Robie Basak apparmor (Ubuntu): importance Undecided Critical
2024-07-14 23:17:32 Robie Basak attachment added debdiffs https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+attachment/5797101/+files/debdiffs
2024-07-15 00:35:08 Robie Basak apparmor (Ubuntu): assignee Robie Basak (racb)
2024-07-15 00:35:11 Robie Basak apparmor (Ubuntu): status In Progress Triaged
2024-07-15 01:14:59 Robie Basak nominated for series Ubuntu Noble
2024-07-15 01:14:59 Robie Basak bug task added apparmor (Ubuntu Noble)
2024-07-15 01:14:59 Robie Basak nominated for series Ubuntu Oracular
2024-07-15 01:14:59 Robie Basak bug task added apparmor (Ubuntu Oracular)
2024-07-15 01:15:04 Robie Basak apparmor (Ubuntu Noble): status New Triaged
2024-07-15 01:15:07 Robie Basak apparmor (Ubuntu Noble): importance Undecided Critical
2024-07-15 01:15:09 Robie Basak apparmor (Ubuntu Oracular): importance Critical High
2024-07-15 17:19:37 hungry-mietner bug added subscriber hungry-mietner
2024-07-15 20:54:59 Robie Basak apparmor (Ubuntu Noble): status Triaged Fix Committed
2024-07-15 20:55:00 Robie Basak bug added subscriber Ubuntu Stable Release Updates Team
2024-07-15 20:55:02 Robie Basak bug added subscriber SRU Verification
2024-07-15 20:55:08 Robie Basak tags regression-update regression-update verification-needed verification-needed-noble
2024-07-16 04:55:08 Kaan Batın Kolcu bug added subscriber Kaan Batın Kolcu
2024-07-16 09:45:10 Alex Garel bug added subscriber Alex Garel
2024-07-16 16:05:25 Andrea Agnolin bug watch added https://github.com/telegramdesktop/tdesktop/issues/28156
2024-07-16 17:00:59 Robie Basak tags regression-update verification-needed verification-needed-noble regression-update verification-done verification-done-noble
2024-07-16 17:01:42 Robie Basak removed subscriber Ubuntu Stable Release Updates Team
2024-07-16 17:13:08 Launchpad Janitor apparmor (Ubuntu Noble): status Fix Committed Fix Released
2024-07-16 17:45:38 Favaron bug added subscriber Favaron
2024-07-16 22:10:09 Georgia Garcia attachment added apparmor_4.0.1-0ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+attachment/5797804/+files/apparmor_4.0.1-0ubuntu2.debdiff
2024-07-17 00:29:33 Ubuntu Foundations Team Bug Bot tags regression-update verification-done verification-done-noble patch regression-update verification-done verification-done-noble
2024-07-17 00:29:39 Ubuntu Foundations Team Bug Bot bug added subscriber Ubuntu Sponsors
2024-07-17 05:28:12 Favaron removed subscriber Favaron
2024-08-03 20:58:59 Launchpad Janitor apparmor (Ubuntu Oracular): status Triaged Fix Released
2024-08-14 12:57:32 hifron bug watch added https://github.com/electron/electron/issues/41066
2024-08-14 12:57:32 hifron bug watch added https://github.com/electron-userland/electron-builder/issues/5371
2024-08-15 01:16:31 Chris Halse Rogers apparmor (Ubuntu Noble): status Fix Released Fix Committed
2024-08-15 01:16:35 Chris Halse Rogers bug added subscriber Ubuntu Stable Release Updates Team
2024-08-15 01:16:49 Chris Halse Rogers tags patch regression-update verification-done verification-done-noble patch regression-update verification-needed verification-needed-noble
2024-08-22 15:40:30 Georgia Garcia tags patch regression-update verification-needed verification-needed-noble patch regression-update verification-done verification-done-noble
2024-08-27 13:01:08 Lukas Märdian removed subscriber Ubuntu Sponsors