I seem to have the same apparmor problem with Chrome under Lubuntu 24.04. From "$ journalctl | grep apparmor | grep chrome" I got info="Userns create restricted - failed to find unprivileged_userns profile" (among other things). And it's been reproduced by another as the following relates.
Can anyone help? Much more detail below. And you can email me: d...@riseup.net. Prior Lubuntu versions, I wget'd the latest Chrome deb from Google and installed it via sudo dpkg -i. Usually it worked quite well. Now with Lubuntu 24.04, I downloaded the latest Chrome deb the same way on Apr. 28, 2024, but Chrome's not working. If I run /usr/bin/google-chrome or /usr/bin/google-chrome-stable: ``` $ google-chrome [55151:55151:0428/224255.271437:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13) Trace/breakpoint trap (core dumped) ``` or ``` $ google-chrome-stable [55166:55166:0428/224300.689874:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13) Trace/breakpoint trap (core dumped) ``` Meanwhile, $ sudo netstat -antvp shows active connections to multiple IPs associated with Google, presumably because I tried multiple times to get Chrome to launch. Then, ``` $ ls /etc/apparmor.d 1password firefox lxc-stop rootlesskit scide usr.bin.redshift Discord flatpak lxc-unshare rpm signal-desktop usr.bin.tcpdump MongoDB_Compass force-complain lxc-usernsexec rssguard slack usr.lib.libreoffice.program.oosplash QtWebEngineProcess geary mmdebstrap rsyslog.d slirp4netns usr.lib.libreoffice.program.senddoc abi github-desktop msedge runc steam usr.lib.libreoffice.program.soffice.bin abstractions goldendict nautilus sbuild stress-ng usr.lib.libreoffice.program.xpdfimport brave ipa_verify notepadqq sbuild-abort surfshark usr.lib.snapd.snap-confine.real buildah kchmviewer nvidia_modprobe sbuild-adduser systemd-coredump usr.sbin.cups-browsed busybox keybase obsidian sbuild-apt thunderbird usr.sbin.cupsd cam lc-compliance opam sbuild-checkpackages toybox usr.sbin.rsyslogd ch-checkns libcamerify opera sbuild-clean trinity uwsgi-core ch-run linux-sandbox pageedit sbuild-createchroot tunables vdens chrome local plasmashell sbuild-destroychroot tup virtiofsd code loupe podman sbuild-distupgrade tuxedo-control-center vivaldi-bin crun lsb_release polypane sbuild-hold ubuntu_pro_apt_news vpnns devhelp lxc-attach privacybrowser sbuild-shell unix-chkpwd wpcom element-desktop lxc-create qcam sbuild-unhold unprivileged_userns epiphany lxc-destroy qmapshack sbuild-update userbindmount evolution lxc-execute qutebrowser sbuild-upgrade usr.bin.man ``` and ``` $ cat /etc/apparmor.d/chrome # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi <abi/4.0>, include <tunables/global> profile chrome /opt/google/chrome/chrome flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/chrome> } ``` This didn't work either: ``` $ /opt/google/chrome/chrome [0429/105700.793962:WARNING:chrome_main_linux.cc(80)] Read channel stable from /opt/google/chrome/CHROME_VERSION_EXTRA [66808:66808:0429/105700.802212:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13) Trace/breakpoint trap (core dumped) ``` Note that I also ran this: ``` $ journalctl | grep apparmor | grep chrome Apr 28 21:22:42 lubuntu kernel: audit: type=1400 audit(1714364562.824:140): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.chromedriver" pid=19182 comm="apparmor_parser" Apr 28 22:04:11 lubuntu kernel: audit: type=1400 audit(1714367051.521:200): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=46114 comm="chrome" requested="userns_create" denied="userns_create" target="unprivileged_userns" ``` Someone else reproduced this, following these steps: ``` 1. figured out what version of apparmor contained the fix 2. booted the live image 3. checked that the version of apparmor on the live image was greater than or equal to the version with the fix 4. installed chrome 5. ran chrome on the command line, specifically using the path specified in the apparmor profile 6. got the same error you did 7. checked the logs and i see the error that it can't find the profile ``` Can anyone help? Maybe there's a way for me to pull off the unconfined apparmor workaround? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs