[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

Mon, 29 Apr 2024 19:37:06 -0700 

I seem to have the same apparmor problem with Chrome under Lubuntu
24.04. From "$ journalctl | grep apparmor | grep chrome" I got
info="Userns create restricted - failed to find unprivileged_userns
profile" (among other things). And it's been reproduced by another as
the following relates.

Can anyone help? Much more detail below. And you can email me:
d...@riseup.net.

Prior Lubuntu versions, I wget'd the latest Chrome deb from Google and
installed it via sudo dpkg -i. Usually it worked quite well. Now with
Lubuntu 24.04, I downloaded the latest Chrome deb the same way on Apr.
28, 2024, but Chrome's not working.

If I run /usr/bin/google-chrome or /usr/bin/google-chrome-stable:

```
$ google-chrome
[55151:55151:0428/224255.271437:FATAL:credentials.cc(127)] Check failed: . : 
Permission denied (13)
Trace/breakpoint trap (core dumped)
```

or

```
$ google-chrome-stable
[55166:55166:0428/224300.689874:FATAL:credentials.cc(127)] Check failed: . : 
Permission denied (13)
Trace/breakpoint trap (core dumped)
```

Meanwhile, $ sudo netstat -antvp shows active connections to multiple
IPs associated with Google, presumably because I tried multiple times to
get Chrome to launch.

Then,

```
$ ls /etc/apparmor.d
1password           firefox         lxc-stop         rootlesskit           
scide                  usr.bin.redshift
Discord             flatpak         lxc-unshare      rpm                   
signal-desktop         usr.bin.tcpdump
MongoDB_Compass     force-complain  lxc-usernsexec   rssguard              
slack                  usr.lib.libreoffice.program.oosplash
QtWebEngineProcess  geary           mmdebstrap       rsyslog.d             
slirp4netns            usr.lib.libreoffice.program.senddoc
abi                 github-desktop  msedge           runc                  
steam                  usr.lib.libreoffice.program.soffice.bin
abstractions        goldendict      nautilus         sbuild                
stress-ng              usr.lib.libreoffice.program.xpdfimport
brave               ipa_verify      notepadqq        sbuild-abort          
surfshark              usr.lib.snapd.snap-confine.real
buildah             kchmviewer      nvidia_modprobe  sbuild-adduser        
systemd-coredump       usr.sbin.cups-browsed
busybox             keybase         obsidian         sbuild-apt            
thunderbird            usr.sbin.cupsd
cam                 lc-compliance   opam             sbuild-checkpackages  
toybox                 usr.sbin.rsyslogd
ch-checkns          libcamerify     opera            sbuild-clean          
trinity                uwsgi-core
ch-run              linux-sandbox   pageedit         sbuild-createchroot   
tunables               vdens
chrome              local           plasmashell      sbuild-destroychroot  tup  
                  virtiofsd
code                loupe           podman           sbuild-distupgrade    
tuxedo-control-center  vivaldi-bin
crun                lsb_release     polypane         sbuild-hold           
ubuntu_pro_apt_news    vpnns
devhelp             lxc-attach      privacybrowser   sbuild-shell          
unix-chkpwd            wpcom
element-desktop     lxc-create      qcam             sbuild-unhold         
unprivileged_userns
epiphany            lxc-destroy     qmapshack        sbuild-update         
userbindmount
evolution           lxc-execute     qutebrowser      sbuild-upgrade        
usr.bin.man
```

and

```
$ cat /etc/apparmor.d/chrome
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile chrome /opt/google/chrome/chrome flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/chrome>
}
```

This didn't work either:

```
$ /opt/google/chrome/chrome
[0429/105700.793962:WARNING:chrome_main_linux.cc(80)] Read channel stable from 
/opt/google/chrome/CHROME_VERSION_EXTRA
[66808:66808:0429/105700.802212:FATAL:credentials.cc(127)] Check failed: . : 
Permission denied (13)
Trace/breakpoint trap (core dumped)
```

Note that I also ran this:

```
$ journalctl | grep apparmor | grep chrome
Apr 28 21:22:42 lubuntu kernel: audit: type=1400 audit(1714364562.824:140): 
apparmor="STATUS" operation="profile_replace" profile="unconfined" 
name="snap.chromium.chromedriver" pid=19182 comm="apparmor_parser"
Apr 28 22:04:11 lubuntu kernel: audit: type=1400 audit(1714367051.521:200): 
apparmor="DENIED" operation="userns_create" class="namespace" info="Userns 
create restricted - failed to find unprivileged_userns profile" error=-13 
profile="unconfined" pid=46114 comm="chrome" requested="userns_create" 
denied="userns_create" target="unprivileged_userns"
```

Someone else reproduced this, following these steps:
```
    1. figured out what version of apparmor contained the fix
    2. booted the live image
    3. checked that the version of apparmor on the live image was greater than 
or equal to the version with the fix
    4. installed chrome
    5. ran chrome on the command line, specifically using the path specified in 
the apparmor profile
    6. got the same error you did
    7. checked the logs and i see the error that it can't find the profile
```

Can anyone help? Maybe there's a way for me to pull off the unconfined
apparmor workaround?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to