[Bug 2072811] [NEW] Apparmor: New update broke flatpak with `apparmor="DENIED"`

klo Thu, 11 Jul 2024 17:00:48 -0700

Public bug reported:

The recent apparmor update appear to have broken some flatpak's ability to save 
file, e.g.:
- org.keepassxc.KeePassXC
- org.ksnip.ksnip


It seems update introduced a new profile ("/etc/apparmor.d/bwrap-userns-
restrict"), which is causing the issue below.

**** To reproduce ****

(I'm using KeepassXC as example, but same issue for ksnip):

1. Install and run KeepassXC

```bash
flatpak install org.keepassxc.KeePassXC
flatpak run org.keepassxc.KeePassXC
```

2. Got error: "Access error for config file
/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"

Looking at `journalctl -f`, I see these apparmor DENIED entries:

```txt
Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started 
app-flatpak-org.keepassxc.KeePassXC-4010.scope.
Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): 
apparmor="DENIED" operation="link" class="file" info="Failed name lookup - 
deleted entry" error=-2 profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:311): 
apparmor="DENIED" operation="link" class="file" profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:312): 
apparmor="DENIED" operation="link" class="file" info="Failed name lookup - 
deleted entry" error=-2 profile="unpriv_bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:313): 
apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:314): 
apparmor="DENIED" operation="link" class="file" info="Failed name lookup - 
deleted entry" error=-2 profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:315): 
apparmor="DENIED" operation="link" class="file" profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:316): 
apparmor="DENIED" operation="link" class="file" info="Failed name lookup - 
deleted entry" error=-2 profile="unpriv_bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): 
apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:318): 
apparmor="DENIED" operation="link" class="file" info="Failed name lookup - 
deleted entry" error=-2 profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 audit(1720741478.704:319): 
apparmor="DENIED" operation="link" class="file" profile="bwrap" 
name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217"
```

**** Workaround ****

For now, work-around is by disabling "/etc/apparmor.d/bwrap-userns-
restrict" profile.

```bash
sudo aa-disable /usr/bin/bwrap
```

**** Version info ****
$ lsb_release -rd
No LSB modules are available.
Description:    Ubuntu 24.04 LTS
Release:        24.04

$ apt-cache policy apparmor
apparmor:
  Installed: 4.0.1-0ubuntu0.24.04.2
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
 *** 4.0.1-0ubuntu0.24.04.2 500 (phased 70%)
        500 http://au.archive.ubuntu.com/ubuntu noble-updates/main amd64 
Packages
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://au.archive.ubuntu.com/ubuntu noble/main amd64 Packages

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072811

Title:
  Apparmor: New update broke flatpak with `apparmor="DENIED"`

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2072811] [NEW] Apparmor: New update broke flatpak with `apparmor="DENIED"`

Reply via email to