edubuntu-bugs team mailing list archive

Thread
Date

[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: John Johansen <2046844@xxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Feb 2024 05:22:56 -0000
Reply-to: Bug 2046844 <2046844@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

So appimages are interesting. They don't all need a profile. I have run
several that are not using user namespaces, or only need to be able to
create the user namespace and don't need capabilities so the default
unpriviled_userns profile works for them.

It is applications that need privileges within their namespace that are
problematic.

Right now no matter what we do, we are stuck with less than satisfactory
solutions. The user must physically intervene in some way to make it so
the application can run.

I see basically 3 options.

1. Just have the user fix manually, a really bad experience.
2. Seth's suggestion of creating a small script to create a template profile
3. have a default profile already loaded as part of the base set and go with the security label approach. ie. tag the appimage with an apparmor security xattr.

Neither 2, or 3 can determine the set of needed capabilities in advance,
but the current approach is to just grant the capabilities (unconfined
mode), we will be able to restrict that better in 24.10 but there just
isn't time to land the improved capabilities work for 24.04.

Approach 1 could address the capabilities but, that is an awful lot of
pain to put on the user.

All approaches will require user to have access to sudo because loading
profiles and creating the security xattr are privileged operations.

If aa-notify is installed we could alert the user, and give them
directions to a document explaining what to do. This would require some
work to seed aa-notify by default (would have to be approved by the
different flavors). To make this more amenable we could add a new
mode/default filter that only notifies for user namespace denials. This
is a small chunk of work that could be achieved in the next two weeks.


The long term goal is to create a behavior similar to what the mac is doing with downloaded applications. The unknown application will create a prompt and the user will need to go to the security center to enable it.

As for restraints on appimages, I wouldn't bother for 24.04, there just
isn't time. This side of things will get improvements as well. These
template profiles are just a start and are to get fleshed out in the
future. Prompting the user for certain accesses etc is coming in the
future as well. For now lets just focus on the basics of getting
applications to work.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions