debcrafters-packages team mailing list archive

Thread
Date
[Bug 2102033] Re: remmina blocked by apparmor in Plucky

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Christian Boltz <2102033@xxxxxxxxxxxxxxxxxx>
Date: Sun, 15 Jun 2025 09:25:35 -0000
Reply-to: Bug 2102033 <2102033@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Instead of adding workarounds and rules you think they might work, can
you please provide the DENIED log entries from /var/log/audit/audit.log
(ideally when trying without the rules you added)?

BTW: ssh-agent access probably needs access to $SSH_AUTH_SOCK - but
that's also something your audit.log will show.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to remmina in Ubuntu.
https://bugs.launchpad.net/bugs/2102033

Title:
  remmina blocked by apparmor in Plucky

Status in apparmor package in Ubuntu:
  Fix Released
Status in remmina package in Ubuntu:
  Invalid
Status in apparmor source package in Plucky:
  In Progress
Status in remmina source package in Plucky:
  Invalid
Status in apparmor source package in Questing:
  Fix Released
Status in remmina source package in Questing:
  Invalid

Bug description:
  SRU Justification:

  [ Impact ]

  The remmina profile is missing a bunch of rules that would be needed
  in order to allow usage of all its functionality. For example, remmina
  lacked permissions to read ssh keys for the SSH and SFTP operation
  modes, lacked permissions to access KDE Wallet secret storage, and
  could not create files needed for TLS-secured RDP. As such, we will
  need to pull the remmina profile from Plucky to avoid breaking its
  usages.

  [ Test Plan ]

  After installation of the new AppArmor version, the machine might need
  to be rebooted. If a reboot between installation and test plan
  execution is needed for a test to pass, please mention it in the test
  plan execution notes so that we can determine if this is cause for
  verification test failure, expected behavior, or the result of an
  unrelated bug that we are not attempting to fix with this SRU.

   * Run `sudo aa-status` and look for a loaded remmina profile: it should not be there
   * If it is still there after installing the updated AppArmor and rebooting, report verification test failure
   * Launch remmina
   * Use ps -Zelf | grep -F remmina to locate the running remmina process
   * Read the output to verify that remmina is now unconfined
   * Fully quit remmina through its menu, its task bar entry, or by Ctrl-C'ing its terminal (closing the GUI window is insufficient)
   * Install apparmor-profiles if it wasn't installed already
   * Repeat the above steps to verify that remmina is unconfined even when apparmor-profiles is also installed (including reboot if installing apparmor-profiles fresh)
   * Warning: remmina writes a .desktop file to automatically start itself upon login, which will complicate profile replacement if investigating remmina test failure

  [ Where problems could occur ]

  The removal of the profile should restore remmina's functionality to
  its original state before a profile was added, as an application would
  not rely on external AppArmor denials to function correctly. However,
  if a user set up custom profiles that use "peer=remmina" IPC rules,
  then these rules would break upon the upgrade removing the remmina
  profile. None of the officially shipped profiles include such rules.

  [ Other Info ]

  --------Original bug report:

  Remmina is now failing on plucky, blocked by apparmor:

  Failed to register:
  GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor
  policy prevents this sender from sending this message to this
  recipient; type="method_call", sender=":1.126" (uid=1000 pid=9636
  comm="remmina" label="remmina (enforce)") interface="org.gtk.Actions"
  member="DescribeAll" error name="(unset)" requested_reply="0"
  destination="org.remmina.Remmina" (uid=1000 pid=4366
  comm="/usr/bin/remmina -i" label="remmina (enforce)")

  ProblemType: Bug
  DistroRelease: Ubuntu 25.04
  Package: remmina 1.4.39+dfsg-1
  ProcVersionSignature: Ubuntu 6.12.0-16.16-generic 6.12.11
  Uname: Linux 6.12.0-16-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.32.0-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: KDE
  Date: Tue Mar 11 09:09:15 2025
  InstallationDate: Installed on 2024-10-30 (132 days ago)
  InstallationMedia: Ubuntu-Studio 24.10 "Oracular Oriole" - Release amd64 (20241007.1)
  SourcePackage: remmina
  UpgradeStatus: Upgraded to plucky on 2025-01-25 (45 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102033/+subscriptions