unfortunately Joplin is only shipped as an appimage for Linux. Which means we can not ship a profile for it by default that will allow it to use capabilities within the unprivileged user namespace that the electron embedded browser is attempting to use.
This means that the user is required to intervene to enable an electron based appimage so that it can be run. Unfortunately for 24.04 this means some manual command line based intervention, instead of using a GUI like on MacOS when a user needs to enable an application downloaded from the internet. This change is deliberate to increase the security of Ubuntu systems, and while we will work on improving the user experience the requirement to have the user approve applications that are using privileged kernel interfaces there is no plan to revert this change. You can read more about this in the release notes https://discourse.ubuntu.com/t/noble- numbat-release-notes/39890 If you look in the kernel logs, (or dmesg) you will find an message an apparmor message similar to below showing what is causing your issue. ``` $ sudo dmesg | grep "apparmor=\"AUDIT" [ 85.468352] audit: type=1400 audit(1713509122.843:224): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=3058 comm="@joplinapp-desk" requested="userns_create" target="unprivileged_userns" ``` and ``` $ sudo dmesg | grep DENIED [ 85.469966] audit: type=1400 audit(1713509122.847:225): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=3065 comm="@joplinapp-desk" capability=21 capname="sys_admin" ``` Unfortunately unprivileged user namespaces are using privileged kernel interfaces (above protected by capabiity sys_admin) that have now been restricted to known applications because they have been used in a lot of exploit chains. you can add a profile for the application by copying the profile from below into /etc/apparmor.d/ and then updating by replacing ```/home/jj/Downloads/Joplin-2.14.20.AppImage``` with the location you are running your joplin appimage from. ``` # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi <abi/4.0>, include <tunables/global> profile joplin /home/jj/Downloads/Joplin-2.14.20.AppImage flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/firefox> } ``` Once that is done you can do ``` $ sudo apparmor_parser -r /etc/apparmor.d/joplin ``` that will allow you to run joplin without having to reboot. Having the jplin profile in /etc/apparmor.d/ will ensure it is reloaded if you reboot. ** Changed in: apparmor (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062441 Title: Apparmor breaks Joplin Desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2062441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
