2024-07-11 23:51:42 |
klo |
bug |
|
|
added bug |
2024-07-11 23:54:00 |
klo |
affects |
evolution (Ubuntu) |
apparmor (Ubuntu) |
|
2024-07-11 23:55:04 |
klo |
description |
The recent apparmor update appear to have broken some flatpak's ability to save file, e.g.:
- org.keepassxc.KeePassXC
- org.ksnip.ksnip
It seems update introduced a new profile ("/etc/apparmor.d/bwrap-userns-restrict"), which is causing the issue below.
**** To reproduce ****
(I'm using KeepassXC as example, but same issue for ksnip):
1. Install and run KeepassXC
```bash
flatpak install org.keepassxc.KeePassXC
flatpak run org.keepassxc.KeePassXC
```
2. Got error: "Access error for config file /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
Looking at `journalctl -f`, I see these apparmor DENIED entries:
```txt
Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started app-flatpak-org.keepassxc.KeePassXC-4010.scope.
Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217"
```
**** Workaround ****
For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-restrict".
```bash
sudo aa-disable /usr/bin/bwrap
```
**** Version info ****
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
$ apt-cache policy apparmor
apparmor:
Installed: 4.0.1-0ubuntu0.24.04.2
Candidate: 4.0.1-0ubuntu0.24.04.2
Version table:
*** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%)
500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
100 /var/lib/dpkg/status
4.0.0-beta3-0ubuntu3 500
500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages |
The recent apparmor update appear to have broken some flatpak's ability to save file, e.g.:
- org.keepassxc.KeePassXC
- org.ksnip.ksnip
It seems update introduced a new profile ("/etc/apparmor.d/bwrap-userns-restrict"), which is causing the issue below.
**** To reproduce ****
(I'm using KeepassXC as example, but same issue for ksnip):
1. Install and run KeepassXC
```bash
flatpak install org.keepassxc.KeePassXC
flatpak run org.keepassxc.KeePassXC
```
2. Got error: "Access error for config file /home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
Looking at `journalctl -f`, I see these apparmor DENIED entries:
```txt
Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started app-flatpak-org.keepassxc.KeePassXC-4010.scope.
Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file" profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217"
```
**** Workaround ****
For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-restrict" profile.
```bash
sudo aa-disable /usr/bin/bwrap
```
**** Version info ****
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
$ apt-cache policy apparmor
apparmor:
Installed: 4.0.1-0ubuntu0.24.04.2
Candidate: 4.0.1-0ubuntu0.24.04.2
Version table:
*** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%)
500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
100 /var/lib/dpkg/status
4.0.0-beta3-0ubuntu3 500
500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages |
|
2024-07-12 10:44:45 |
Launchpad Janitor |
apparmor (Ubuntu): status |
New |
Confirmed |
|
2024-07-14 10:37:16 |
Gabriel de Perthuis |
bug watch added |
|
https://github.com/flathub/com.valvesoftware.Steam/issues/1318 |
|
2024-07-14 10:40:48 |
Gabriel de Perthuis |
tags |
|
regression-update |
|
2024-07-14 11:09:22 |
Sundance |
bug |
|
|
added subscriber Sundance |
2024-07-14 11:09:45 |
RichardJECooke@protonmail.com |
bug |
|
|
added subscriber RichardJECooke@protonmail.com |
2024-07-14 11:46:09 |
Jan Hartkopf |
bug |
|
|
added subscriber Jan Hartkopf |
2024-07-14 12:44:30 |
Stefan Esbjörner |
bug |
|
|
added subscriber Stefan Esbjörner |
2024-07-14 15:23:14 |
Forage |
bug |
|
|
added subscriber Forage |
2024-07-14 19:16:11 |
Samuel Moelius |
bug |
|
|
added subscriber Samuel Moelius |
2024-07-14 22:47:06 |
Robie Basak |
apparmor (Ubuntu): assignee |
|
Robie Basak (racb) |
|
2024-07-14 22:47:15 |
Robie Basak |
apparmor (Ubuntu): status |
Confirmed |
In Progress |
|
2024-07-14 22:47:29 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2024-07-14 22:49:52 |
Robie Basak |
apparmor (Ubuntu): importance |
Undecided |
Critical |
|
2024-07-14 23:17:32 |
Robie Basak |
attachment added |
|
debdiffs https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+attachment/5797101/+files/debdiffs |
|
2024-07-15 00:35:08 |
Robie Basak |
apparmor (Ubuntu): assignee |
Robie Basak (racb) |
|
|
2024-07-15 00:35:11 |
Robie Basak |
apparmor (Ubuntu): status |
In Progress |
Triaged |
|
2024-07-15 01:14:59 |
Robie Basak |
nominated for series |
|
Ubuntu Noble |
|
2024-07-15 01:14:59 |
Robie Basak |
bug task added |
|
apparmor (Ubuntu Noble) |
|
2024-07-15 01:14:59 |
Robie Basak |
nominated for series |
|
Ubuntu Oracular |
|
2024-07-15 01:14:59 |
Robie Basak |
bug task added |
|
apparmor (Ubuntu Oracular) |
|
2024-07-15 01:15:04 |
Robie Basak |
apparmor (Ubuntu Noble): status |
New |
Triaged |
|
2024-07-15 01:15:07 |
Robie Basak |
apparmor (Ubuntu Noble): importance |
Undecided |
Critical |
|
2024-07-15 01:15:09 |
Robie Basak |
apparmor (Ubuntu Oracular): importance |
Critical |
High |
|
2024-07-15 17:19:37 |
hungry-mietner |
bug |
|
|
added subscriber hungry-mietner |
2024-07-15 20:54:59 |
Robie Basak |
apparmor (Ubuntu Noble): status |
Triaged |
Fix Committed |
|
2024-07-15 20:55:00 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2024-07-15 20:55:02 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
2024-07-15 20:55:08 |
Robie Basak |
tags |
regression-update |
regression-update verification-needed verification-needed-noble |
|
2024-07-16 04:55:08 |
Kaan Batın Kolcu |
bug |
|
|
added subscriber Kaan Batın Kolcu |
2024-07-16 09:45:10 |
Alex Garel |
bug |
|
|
added subscriber Alex Garel |
2024-07-16 16:05:25 |
Andrea Agnolin |
bug watch added |
|
https://github.com/telegramdesktop/tdesktop/issues/28156 |
|
2024-07-16 17:00:59 |
Robie Basak |
tags |
regression-update verification-needed verification-needed-noble |
regression-update verification-done verification-done-noble |
|
2024-07-16 17:01:42 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2024-07-16 17:13:08 |
Launchpad Janitor |
apparmor (Ubuntu Noble): status |
Fix Committed |
Fix Released |
|
2024-07-16 17:45:38 |
Favaron |
bug |
|
|
added subscriber Favaron |
2024-07-16 22:10:09 |
Georgia Garcia |
attachment added |
|
apparmor_4.0.1-0ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+attachment/5797804/+files/apparmor_4.0.1-0ubuntu2.debdiff |
|
2024-07-17 00:29:33 |
Ubuntu Foundations Team Bug Bot |
tags |
regression-update verification-done verification-done-noble |
patch regression-update verification-done verification-done-noble |
|
2024-07-17 00:29:39 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors |
2024-07-17 05:28:12 |
Favaron |
removed subscriber Favaron |
|
|
|
2024-08-03 20:58:59 |
Launchpad Janitor |
apparmor (Ubuntu Oracular): status |
Triaged |
Fix Released |
|
2024-08-14 12:57:32 |
hifron |
bug watch added |
|
https://github.com/electron/electron/issues/41066 |
|
2024-08-14 12:57:32 |
hifron |
bug watch added |
|
https://github.com/electron-userland/electron-builder/issues/5371 |
|
2024-08-15 01:16:31 |
Chris Halse Rogers |
apparmor (Ubuntu Noble): status |
Fix Released |
Fix Committed |
|
2024-08-15 01:16:35 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2024-08-15 01:16:49 |
Chris Halse Rogers |
tags |
patch regression-update verification-done verification-done-noble |
patch regression-update verification-needed verification-needed-noble |
|
2024-08-22 15:40:30 |
Georgia Garcia |
tags |
patch regression-update verification-needed verification-needed-noble |
patch regression-update verification-done verification-done-noble |
|
2024-08-27 13:01:08 |
Lukas Märdian |
removed subscriber Ubuntu Sponsors |
|
|
|