debcrafters-packages team mailing list archive

Thread
Date
[Bug 2102033] Re: remmina blocked by apparmor in Plucky

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Erich Eickmeyer <2102033@xxxxxxxxxxxxxxxxxx>
Date: Mon, 01 Sep 2025 19:04:58 -0000
Reply-to: Bug 2102033 <2102033@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
$ apt-cache policy apparmor
apparmor:
  Installed: 4.1.0~beta5-0ubuntu14.1
  Candidate: 4.1.0~beta5-0ubuntu14.1
  Version table:
 *** 4.1.0~beta5-0ubuntu14.1 100
        100 http://us.archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.1.0~beta5-0ubuntu14 500
        500 http://us.archive.ubuntu.com/ubuntu plucky/main amd64 Packages


Before reboot:

$ sudo aa-status | grep remmina
   remmina
   snap-update-ns.remmina
   snap.remmina.hook.configure
   snap.remmina.remmina
   snap.remmina.ssh-agent
   /usr/bin/remmina (485287) remmina

After reboot:

$ sudo aa-status | grep remmina

(no reply)

Launched remmina

$ ps -Zelf | grep -F remmina
unconfined                      0 S erich       3875    3198  0  80   0 - 195325 do_pol 11:51 ?       00:00:00 /usr/bin/remmina -i
unconfined                      0 S erich       5137    4847  0  80   0 -  2342 pipe_r 11:54 pts/1    00:00:00 grep --color=auto -F remmina

SSH protocol experienced no isssues.
Quit remmina.

$ sudo apt install --mark-auto apparmor-profiles
Installing dependencies:
  apparmor-profiles

Summary:
  Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0
  Download size: 41.4 kB
  Space needed: 386 kB / 892 GB available

Get:1 http://us.archive.ubuntu.com/ubuntu plucky/main amd64 apparmor-profiles all 4.1.0~beta5-0ubuntu14 [41.4 kB]
Fetched 41.4 kB in 1s (71.3 kB/s)
Selecting previously unselected package apparmor-profiles.
(Reading database ... 502685 files and directories currently installed.)
Preparing to unpack .../apparmor-profiles_4.1.0~beta5-0ubuntu14_all.deb ...
Unpacking apparmor-profiles (4.1.0~beta5-0ubuntu14) ...
Setting up apparmor-profiles (4.1.0~beta5-0ubuntu14) ...

$ ps -Zelf | grep -F remmina
unconfined                      0 S erich       6292    4847  0  80   0 -  2342 pipe_r 12:00 pts/1    00:00:00 grep --color=auto -F remmina

Reboot.
Launched remmina.

$ ps -Zelf | grep -F remmina
unconfined                      0 S erich       3898    3234  0  80   0 - 197377 do_pol 12:02 ?       00:00:00 /usr/bin/remmina -i
unconfined                      0 S erich       4885    4858  0  80   0 -  2342 pipe_r 12:02 pts/1    00:00:00 grep --color=auto -F remmina

SSH test again experienced no issues. Also VNC and RDP tests experienced
no issues.


** Tags removed: verification-needed verification-needed-plucky
** Tags added: verification-done verification-done-plucky

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to remmina in Ubuntu.
https://bugs.launchpad.net/bugs/2102033

Title:
  remmina blocked by apparmor in Plucky

Status in apparmor package in Ubuntu:
  Fix Released
Status in remmina package in Ubuntu:
  Invalid
Status in apparmor source package in Plucky:
  Fix Committed
Status in remmina source package in Plucky:
  Invalid
Status in apparmor source package in Questing:
  Fix Released
Status in remmina source package in Questing:
  Invalid

Bug description:
  SRU Justification:

  [ Impact ]

  The remmina profile is missing a bunch of rules that would be needed
  in order to allow usage of all its functionality. For example, remmina
  lacked permissions to read ssh keys for the SSH and SFTP operation
  modes, lacked permissions to access KDE Wallet secret storage, and
  could not create files needed for TLS-secured RDP. As such, we will
  need to pull the remmina profile from Plucky to avoid breaking its
  usages.

  [ Test Plan ]

   * Run `sudo aa-status` and look for a loaded remmina profile: it should not be there
   * If it is still there after installing the updated AppArmor and rebooting, report verification test failure
   * Launch remmina
   * Use ps -Zelf | grep -F remmina to locate the running remmina process
   * Read the output to verify that remmina is now unconfined
   * The following steps exercise the SSH operation mode of remmina to verify that it is not broken:
     - Set up a different server that uses SSH pubkey authentication, place the keypair inside the Plucky client's `~/.ssh`, and verify from a terminal window that the keypair works as authentication for SSHing into the server
     - Click the '+' button to add a new connection
     - Set the protocol to SSH
     - Enter the server URL and set the authentication type to 'SSH identity file'
     - Check the 'SSH identity file' checkbox and select the private key inside `~/.ssh`. If a permission denial occurs when trying to select the file, report verification test failure
     - Click the 'Connect' button and follow any prompt it might show, which should end with successfully opening a remote shell
   * Fully quit remmina through its menu, its task bar entry, or by Ctrl-C'ing its terminal (closing the GUI window is insufficient)
   * Install apparmor-profiles if it wasn't installed already
   * Repeat the above steps to verify that remmina is unconfined even when apparmor-profiles is also installed (including reboot if installing apparmor-profiles fresh)
   * Warning: remmina writes a .desktop file to automatically start itself upon login, which will complicate profile replacement or removal if investigating remmina test failure

  [ Where problems could occur ]

  The removal of the profile should restore remmina's functionality to
  its original state before a profile was added, as an application would
  not rely on external AppArmor denials to function correctly. However,
  if a user set up custom profiles that use "peer=remmina" IPC rules,
  then these rules would break upon the upgrade removing the remmina
  profile. None of the officially shipped profiles include such rules.

  [ Other Info ]

  --------Original bug report:

  Remmina is now failing on plucky, blocked by apparmor:

  Failed to register:
  GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor
  policy prevents this sender from sending this message to this
  recipient; type="method_call", sender=":1.126" (uid=1000 pid=9636
  comm="remmina" label="remmina (enforce)") interface="org.gtk.Actions"
  member="DescribeAll" error name="(unset)" requested_reply="0"
  destination="org.remmina.Remmina" (uid=1000 pid=4366
  comm="/usr/bin/remmina -i" label="remmina (enforce)")

  ProblemType: Bug
  DistroRelease: Ubuntu 25.04
  Package: remmina 1.4.39+dfsg-1
  ProcVersionSignature: Ubuntu 6.12.0-16.16-generic 6.12.11
  Uname: Linux 6.12.0-16-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.32.0-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: KDE
  Date: Tue Mar 11 09:09:15 2025
  InstallationDate: Installed on 2024-10-30 (132 days ago)
  InstallationMedia: Ubuntu-Studio 24.10 "Oracular Oriole" - Release amd64 (20241007.1)
  SourcePackage: remmina
  UpgradeStatus: Upgraded to plucky on 2025-01-25 (45 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102033/+subscriptions