ubuntustudio-bugs team mailing list archive

Thread
Date
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

To: ubuntustudio-bugs@xxxxxxxxxxxxxxxxxxx
From: Aaron Rainbolt <2046844@xxxxxxxxxxxxxxxxxx>
Date: Thu, 09 May 2024 19:16:12 -0000
Reply-to: Bug 2046844 <2046844@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Unless your app and Bubblewrap can both work without any capabilities in
an unprivileged user namespace, things will probably go south. You
should probably be installing an AppArmor profile for your app that
allows you to use unprivileged user namespaces normally again, as
described in Comment 5
(https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/comments/5).
You can look at `/etc/apparmor.d/chrome` as an example profile, and make
your profile similar. This will require that your build of Bubblewrap be
installed into a static location on the filesystem - if you're depending
on Bubblewrap working no matter where the binary is on the filesystem
(for instance, if your app is portable and is shipped as a .tar.gz that
people unpack into their home dir and then use), you'll need to turn off
the user namespace restrictions entirely during the install process, as
described in the Ubuntu 24.04 release notes
(https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-
notes/39890):

* Disable this restriction using a persistent setting by adding a new
file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following
contents:

  kernel.apparmor_restrict_unprivileged_userns=0

  Reboot. This is similar to the previous behaviour, but it does not
mitigate against kernel exploits that abuse the unprivileged user
namespaces feature.

Try to avoid using the "disable unprivileged user namespace restriction"
solution if at all possible.

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Won't Fix
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  New
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in wike package in Ubuntu:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions