debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #06358
[Bug 2102033] Re: remmina blocked by apparmor in Plucky
$ apt-cache policy apparmor
apparmor:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://us.archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://us.archive.ubuntu.com/ubuntu plucky/main amd64 Packages
Before reboot:
$ sudo aa-status | grep remmina
remmina
snap-update-ns.remmina
snap.remmina.hook.configure
snap.remmina.remmina
snap.remmina.ssh-agent
/usr/bin/remmina (485287) remmina
After reboot:
$ sudo aa-status | grep remmina
(no reply)
Launched remmina
$ ps -Zelf | grep -F remmina
unconfined 0 S erich 3875 3198 0 80 0 - 195325 do_pol 11:51 ? 00:00:00 /usr/bin/remmina -i
unconfined 0 S erich 5137 4847 0 80 0 - 2342 pipe_r 11:54 pts/1 00:00:00 grep --color=auto -F remmina
SSH protocol experienced no isssues.
Quit remmina.
$ sudo apt install --mark-auto apparmor-profiles
Installing dependencies:
apparmor-profiles
Summary:
Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0
Download size: 41.4 kB
Space needed: 386 kB / 892 GB available
Get:1 http://us.archive.ubuntu.com/ubuntu plucky/main amd64 apparmor-profiles all 4.1.0~beta5-0ubuntu14 [41.4 kB]
Fetched 41.4 kB in 1s (71.3 kB/s)
Selecting previously unselected package apparmor-profiles.
(Reading database ... 502685 files and directories currently installed.)
Preparing to unpack .../apparmor-profiles_4.1.0~beta5-0ubuntu14_all.deb ...
Unpacking apparmor-profiles (4.1.0~beta5-0ubuntu14) ...
Setting up apparmor-profiles (4.1.0~beta5-0ubuntu14) ...
$ ps -Zelf | grep -F remmina
unconfined 0 S erich 6292 4847 0 80 0 - 2342 pipe_r 12:00 pts/1 00:00:00 grep --color=auto -F remmina
Reboot.
Launched remmina.
$ ps -Zelf | grep -F remmina
unconfined 0 S erich 3898 3234 0 80 0 - 197377 do_pol 12:02 ? 00:00:00 /usr/bin/remmina -i
unconfined 0 S erich 4885 4858 0 80 0 - 2342 pipe_r 12:02 pts/1 00:00:00 grep --color=auto -F remmina
SSH test again experienced no issues. Also VNC and RDP tests experienced
no issues.
** Tags removed: verification-needed verification-needed-plucky
** Tags added: verification-done verification-done-plucky
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to remmina in Ubuntu.
https://bugs.launchpad.net/bugs/2102033
Title:
remmina blocked by apparmor in Plucky
Status in apparmor package in Ubuntu:
Fix Released
Status in remmina package in Ubuntu:
Invalid
Status in apparmor source package in Plucky:
Fix Committed
Status in remmina source package in Plucky:
Invalid
Status in apparmor source package in Questing:
Fix Released
Status in remmina source package in Questing:
Invalid
Bug description:
SRU Justification:
[ Impact ]
The remmina profile is missing a bunch of rules that would be needed
in order to allow usage of all its functionality. For example, remmina
lacked permissions to read ssh keys for the SSH and SFTP operation
modes, lacked permissions to access KDE Wallet secret storage, and
could not create files needed for TLS-secured RDP. As such, we will
need to pull the remmina profile from Plucky to avoid breaking its
usages.
[ Test Plan ]
* Run `sudo aa-status` and look for a loaded remmina profile: it should not be there
* If it is still there after installing the updated AppArmor and rebooting, report verification test failure
* Launch remmina
* Use ps -Zelf | grep -F remmina to locate the running remmina process
* Read the output to verify that remmina is now unconfined
* The following steps exercise the SSH operation mode of remmina to verify that it is not broken:
- Set up a different server that uses SSH pubkey authentication, place the keypair inside the Plucky client's `~/.ssh`, and verify from a terminal window that the keypair works as authentication for SSHing into the server
- Click the '+' button to add a new connection
- Set the protocol to SSH
- Enter the server URL and set the authentication type to 'SSH identity file'
- Check the 'SSH identity file' checkbox and select the private key inside `~/.ssh`. If a permission denial occurs when trying to select the file, report verification test failure
- Click the 'Connect' button and follow any prompt it might show, which should end with successfully opening a remote shell
* Fully quit remmina through its menu, its task bar entry, or by Ctrl-C'ing its terminal (closing the GUI window is insufficient)
* Install apparmor-profiles if it wasn't installed already
* Repeat the above steps to verify that remmina is unconfined even when apparmor-profiles is also installed (including reboot if installing apparmor-profiles fresh)
* Warning: remmina writes a .desktop file to automatically start itself upon login, which will complicate profile replacement or removal if investigating remmina test failure
[ Where problems could occur ]
The removal of the profile should restore remmina's functionality to
its original state before a profile was added, as an application would
not rely on external AppArmor denials to function correctly. However,
if a user set up custom profiles that use "peer=remmina" IPC rules,
then these rules would break upon the upgrade removing the remmina
profile. None of the officially shipped profiles include such rules.
[ Other Info ]
--------Original bug report:
Remmina is now failing on plucky, blocked by apparmor:
Failed to register:
GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor
policy prevents this sender from sending this message to this
recipient; type="method_call", sender=":1.126" (uid=1000 pid=9636
comm="remmina" label="remmina (enforce)") interface="org.gtk.Actions"
member="DescribeAll" error name="(unset)" requested_reply="0"
destination="org.remmina.Remmina" (uid=1000 pid=4366
comm="/usr/bin/remmina -i" label="remmina (enforce)")
ProblemType: Bug
DistroRelease: Ubuntu 25.04
Package: remmina 1.4.39+dfsg-1
ProcVersionSignature: Ubuntu 6.12.0-16.16-generic 6.12.11
Uname: Linux 6.12.0-16-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.32.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: KDE
Date: Tue Mar 11 09:09:15 2025
InstallationDate: Installed on 2024-10-30 (132 days ago)
InstallationMedia: Ubuntu-Studio 24.10 "Oracular Oriole" - Release amd64 (20241007.1)
SourcePackage: remmina
UpgradeStatus: Upgraded to plucky on 2025-01-25 (45 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102033/+subscriptions