unfortunately Joplin is only shipped as an appimage for Linux. Which
means we can not ship a profile for it by default that will allow it to
use capabilities within the unprivileged user namespace that the
electron embedded browser is attempting to use.

This means that the user is required to intervene to enable an electron
based appimage so that it can be run. Unfortunately for 24.04 this means
some manual command line based intervention, instead of using a GUI like
on MacOS when a user needs to enable an application downloaded from the
internet.

This change is deliberate to increase the security of Ubuntu systems,
and while we will work on improving the user experience the requirement
to have the user approve applications that are using privileged kernel
interfaces there is no plan to revert this change. You can read more
about this in the release notes https://discourse.ubuntu.com/t/noble-
numbat-release-notes/39890


If you look in the kernel logs, (or dmesg) you will find an message an apparmor 
message similar to below showing what is causing your issue.

```
$ sudo dmesg | grep "apparmor=\"AUDIT"

[   85.468352] audit: type=1400 audit(1713509122.843:224): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=3058 comm="@joplinapp-desk" 
requested="userns_create" target="unprivileged_userns"
```
and
```
$ sudo dmesg | grep DENIED

[   85.469966] audit: type=1400 audit(1713509122.847:225): apparmor="DENIED" 
operation="capable" class="cap" profile="unprivileged_userns" pid=3065 
comm="@joplinapp-desk" capability=21  capname="sys_admin"
```

Unfortunately unprivileged user namespaces are using privileged kernel
interfaces (above protected by capabiity sys_admin) that have now been
restricted to known applications because they have been used in a lot of
exploit chains.

you can add a profile for the application by copying the profile from
below into /etc/apparmor.d/ and then updating by replacing
```/home/jj/Downloads/Joplin-2.14.20.AppImage``` with the location you
are running your joplin appimage from.

```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile joplin /home/jj/Downloads/Joplin-2.14.20.AppImage  flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/firefox>
}
```

Once that is done you can do
```
$ sudo apparmor_parser -r /etc/apparmor.d/joplin
```

that will allow you to run joplin without having to reboot. Having the
jplin profile in /etc/apparmor.d/ will ensure it is reloaded if you
reboot.


** Changed in: apparmor (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062441

Title:
  Apparmor breaks Joplin Desktop

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2062441/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to