← Back to team overview

ubuntustudio-bugs team mailing list archive

[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

 

So the answer is it depends on how they are using unprivileged user
namespaces and how they react to them being denied, not every
application needs to patched separately.

Generally speaking gnome has been better tested than KDE had because
gnome being the Ubuntu default saw a lot more opt in testing in Lunar
and Mantic. There is also some differences in how gnome and KDE handle
their respective use of their respective browser components that has
made KDE current require more direct patching.

We do have some improvements coming down the pipes that will make it
easier to have a few some more generic profiles to cover different use
patterns. Eg. not all uses of user namespaces set up mappings for the
user, some will fallback to a degrade sandbox if an unprivileged user
namespace isn't available while others will refuse to function.

Scarlett us doing excellent work within the current limitations. That
work will continue to function once the improvements have landed, but it
is likely you will see refinements on the current work once those
improvements are available.

In general developers are going to have to become aware that user
namespaces are going to be more restricted going forward, as its not
just Canonical/apparmor pushing on this but SELinux, and likely other
LSMs as well in the future. Eg. I have seen BPF LSM using this, and I
expect to see some work on the smack side, because the original LSM hook
proposals for user namespace mediation came out some work they did.

As for Gnome devs being aware of this bug, yes some are but it has not
atm been a major issue for them. Long term I expect both KDE and gnome
to take this is a policy issue for the respective LSMs, except when it
surfaces code bugs, like some of their library code failing to check if
clone/unshare failed, leading to a crash.

Fixing policy to deal with how applications, gnome and KDE use user
namespaces will be largely an upstream LSM, or distro problem.

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  In Progress
Status in apparmor package in Ubuntu:
  Confirmed
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Confirmed
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in evolution package in Ubuntu:
  Confirmed
Status in falkon package in Ubuntu:
  Fix Released
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  In Progress
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  In Progress
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  In Progress
Status in konqueror package in Ubuntu:
  In Progress
Status in kontact package in Ubuntu:
  In Progress
Status in marble package in Ubuntu:
  In Progress
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Confirmed
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Confirmed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  In Progress

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions