© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
So appimages are interesting. They don't all need a profile. I have run several that are not using user namespaces, or only need to be able to create the user namespace and don't need capabilities so the default unpriviled_userns profile works for them.
It is applications that need privileges within their namespace that are problematic.
Right now no matter what we do, we are stuck with less than satisfactory solutions. The user must physically intervene in some way to make it so the application can run.
I see basically 3 options.
1. Just have the user fix manually, a really bad experience.
2. Seth's suggestion of creating a small script to create a template profile
3. have a default profile already loaded as part of the base set and go with the security label approach. ie. tag the appimage with an apparmor security xattr.
Neither 2, or 3 can determine the set of needed capabilities in advance, but the current approach is to just grant the capabilities (unconfined mode), we will be able to restrict that better in 24.10 but there just isn't time to land the improved capabilities work for 24.04.
Approach 1 could address the capabilities but, that is an awful lot of pain to put on the user.
All approaches will require user to have access to sudo because loading profiles and creating the security xattr are privileged operations.
If aa-notify is installed we could alert the user, and give them directions to a document explaining what to do. This would require some work to seed aa-notify by default (would have to be approved by the different flavors). To make this more amenable we could add a new mode/default filter that only notifies for user namespace denials. This is a small chunk of work that could be achieved in the next two weeks.
The long term goal is to create a behavior similar to what the mac is doing with downloaded applications. The unknown application will create a prompt and the user will need to go to the security center to enable it.
As for restraints on appimages, I wouldn't bother for 24.04, there just isn't time. This side of things will get improvements as well. These template profiles are just a start and are to get fleshed out in the future. Prompting the user for certain accesses etc is coming in the future as well. For now lets just focus on the basics of getting applications to work.