ubuntustudio-bugs team mailing list archive
-
ubuntustudio-bugs team
-
Mailing list archive
-
Message #12019
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
I seem to have the same apparmor problem with Chrome under Lubuntu
24.04. From "$ journalctl | grep apparmor | grep chrome" I got
info="Userns create restricted - failed to find unprivileged_userns
profile" (among other things). And it's been reproduced by another as
the following relates.
Can anyone help? Much more detail below. And you can email me:
DAL@xxxxxxxxxx.
Prior Lubuntu versions, I wget'd the latest Chrome deb from Google and
installed it via sudo dpkg -i. Usually it worked quite well. Now with
Lubuntu 24.04, I downloaded the latest Chrome deb the same way on Apr.
28, 2024, but Chrome's not working.
If I run /usr/bin/google-chrome or /usr/bin/google-chrome-stable:
```
$ google-chrome
[55151:55151:0428/224255.271437:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13)
Trace/breakpoint trap (core dumped)
```
or
```
$ google-chrome-stable
[55166:55166:0428/224300.689874:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13)
Trace/breakpoint trap (core dumped)
```
Meanwhile, $ sudo netstat -antvp shows active connections to multiple
IPs associated with Google, presumably because I tried multiple times to
get Chrome to launch.
Then,
```
$ ls /etc/apparmor.d
1password firefox lxc-stop rootlesskit scide usr.bin.redshift
Discord flatpak lxc-unshare rpm signal-desktop usr.bin.tcpdump
MongoDB_Compass force-complain lxc-usernsexec rssguard slack usr.lib.libreoffice.program.oosplash
QtWebEngineProcess geary mmdebstrap rsyslog.d slirp4netns usr.lib.libreoffice.program.senddoc
abi github-desktop msedge runc steam usr.lib.libreoffice.program.soffice.bin
abstractions goldendict nautilus sbuild stress-ng usr.lib.libreoffice.program.xpdfimport
brave ipa_verify notepadqq sbuild-abort surfshark usr.lib.snapd.snap-confine.real
buildah kchmviewer nvidia_modprobe sbuild-adduser systemd-coredump usr.sbin.cups-browsed
busybox keybase obsidian sbuild-apt thunderbird usr.sbin.cupsd
cam lc-compliance opam sbuild-checkpackages toybox usr.sbin.rsyslogd
ch-checkns libcamerify opera sbuild-clean trinity uwsgi-core
ch-run linux-sandbox pageedit sbuild-createchroot tunables vdens
chrome local plasmashell sbuild-destroychroot tup virtiofsd
code loupe podman sbuild-distupgrade tuxedo-control-center vivaldi-bin
crun lsb_release polypane sbuild-hold ubuntu_pro_apt_news vpnns
devhelp lxc-attach privacybrowser sbuild-shell unix-chkpwd wpcom
element-desktop lxc-create qcam sbuild-unhold unprivileged_userns
epiphany lxc-destroy qmapshack sbuild-update userbindmount
evolution lxc-execute qutebrowser sbuild-upgrade usr.bin.man
```
and
```
$ cat /etc/apparmor.d/chrome
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile chrome /opt/google/chrome/chrome flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/chrome>
}
```
This didn't work either:
```
$ /opt/google/chrome/chrome
[0429/105700.793962:WARNING:chrome_main_linux.cc(80)] Read channel stable from /opt/google/chrome/CHROME_VERSION_EXTRA
[66808:66808:0429/105700.802212:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13)
Trace/breakpoint trap (core dumped)
```
Note that I also ran this:
```
$ journalctl | grep apparmor | grep chrome
Apr 28 21:22:42 lubuntu kernel: audit: type=1400 audit(1714364562.824:140): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.chromedriver" pid=19182 comm="apparmor_parser"
Apr 28 22:04:11 lubuntu kernel: audit: type=1400 audit(1714367051.521:200): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=46114 comm="chrome" requested="userns_create" denied="userns_create" target="unprivileged_userns"
```
Someone else reproduced this, following these steps:
```
1. figured out what version of apparmor contained the fix
2. booted the live image
3. checked that the version of apparmor on the live image was greater than or equal to the version with the fix
4. installed chrome
5. ran chrome on the command line, specifically using the path specified in the apparmor profile
6. got the same error you did
7. checked the logs and i see the error that it can't find the profile
```
Can anyone help? Maybe there's a way for me to pull off the unconfined
apparmor workaround?
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
Status in AppArmor:
New
Status in Wike:
New
Status in akonadiconsole package in Ubuntu:
Fix Released
Status in akregator package in Ubuntu:
Fix Released
Status in angelfish package in Ubuntu:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in bubblewrap package in Ubuntu:
Confirmed
Status in cantor package in Ubuntu:
Fix Released
Status in devhelp package in Ubuntu:
Fix Released
Status in digikam package in Ubuntu:
Fix Released
Status in epiphany-browser package in Ubuntu:
Fix Released
Status in evolution package in Ubuntu:
Fix Released
Status in falkon package in Ubuntu:
Fix Released
Status in firefox package in Ubuntu:
Confirmed
Status in foliate package in Ubuntu:
Fix Committed
Status in freecad package in Ubuntu:
Invalid
Status in geary package in Ubuntu:
Fix Released
Status in ghostwriter package in Ubuntu:
Fix Released
Status in gnome-packagekit package in Ubuntu:
Invalid
Status in goldendict-webengine package in Ubuntu:
Fix Released
Status in guix package in Ubuntu:
New
Status in kalgebra package in Ubuntu:
Fix Released
Status in kchmviewer package in Ubuntu:
Fix Released
Status in kdeplasma-addons package in Ubuntu:
Fix Released
Status in kgeotag package in Ubuntu:
Fix Released
Status in kiwix package in Ubuntu:
Incomplete
Status in kmail package in Ubuntu:
Fix Released
Status in konqueror package in Ubuntu:
Fix Released
Status in kontact package in Ubuntu:
Fix Released
Status in loupe package in Ubuntu:
Fix Released
Status in marble package in Ubuntu:
Fix Released
Status in notepadqq package in Ubuntu:
Fix Released
Status in opam package in Ubuntu:
Fix Released
Status in pageedit package in Ubuntu:
Fix Released
Status in plasma-desktop package in Ubuntu:
Fix Released
Status in plasma-welcome package in Ubuntu:
Fix Released
Status in privacybrowser package in Ubuntu:
Invalid
Status in qmapshack package in Ubuntu:
Fix Released
Status in qutebrowser package in Ubuntu:
Fix Released
Status in rssguard package in Ubuntu:
Fix Released
Status in steam package in Ubuntu:
Fix Released
Status in supercollider package in Ubuntu:
Fix Released
Status in tellico package in Ubuntu:
Fix Released
Status in wike package in Ubuntu:
Fix Committed
Bug description:
Hi, I run Ubuntu development branch 24.04 and I have a problem with
Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
this error
$ epiphany
bwrap: Creating new namespace failed: Permission denied
** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
Trappe pour point d'arrêt et de trace (core dumped)
$ epiphany
bwrap: Creating new namespace failed: Permission denied
** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
Trappe pour point d'arrêt et de trace (core dumped)
Thanks for your help!
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions
