ubuntustudio-bugs team mailing list archive

Thread
Date
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

To: ubuntustudio-bugs@xxxxxxxxxxxxxxxxxxx
From: John Johansen <2046844@xxxxxxxxxxxxxxxxxx>
Date: Thu, 09 May 2024 22:15:35 -0000
Reply-to: Bug 2046844 <2046844@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
@jorge-lavila,

Its not a theoretical case, they have been used by multiple exploits
every year (including this one) since landing in the kernel. Ubuntu is
not the only ones looking at restricting them. SELinux has also picked
up the ability but they haven't really rolled it out in policy, there
are also discussions in other security forms (eg. the OSS security list)
about how to disable them better than the giant sysctl that turns them
off for everything.

The apparmor solution allows doing it on a per application basis. Yes it
deliberately requires a privileged operation, otherwise the restriction
could be trivially by-passed by exploit code. We know the experience is
not user friendly atm, and are working on improving it. Improving both
the flexibility on what is mediated on how the user can by-pass/disable
the restriction. On the GUI side the end goal is something similar to
what you get on MacOS where the user gets notified, and has to go to the
security center to enable running an untrusted application.

There is in fact a profile coming for bwrap, and unshare, but not the
unconfined profile that is being generically used to disable the
restriction. The profile will restrict certain modes of operation, and
prevent applications launch by it from having privilege within the user
namespace. It will open the ubuntu shipped versions up for regular users
again for many of its use cases.

Unfortunately untrusted code, which is the case of code downloaded into
the home dir, will require a privileged operation to be able to use user
namespaces. That could be the use of sudo when using the application, or
creating a profile for the application, which then allows the user to
subsequently use the application without a privileged operation.


** Also affects: tor (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Won't Fix
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  New
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in tor package in Ubuntu:
  New
Status in wike package in Ubuntu:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions