We have found that allowing the user namespace creation, and then denying capabilities is in general handled much better by KDE. The the case of the plasmashell and the browswer widget denying the creation of the user namespace would cause a crash with a SIGTRAP backtrace, where allowing the creation of the userns and then denying capabilities within the user namespace would result in the browser widget falling back to a sandbox that didn't use user namespaces, not ideal but better than a crash. To make sure the widget was using the full sandbox we gave it a profile (see QtWebEngineProcess in /etc/apparmor.d/plasmashell).
The apparmor package is adding a base set of profiles, including one for the plasmashell and the unprivileged_userns profile. We are willing to carry profiles in the apparmor package but are also happy for other packages to carry them. Generally speaking, having the profile carried in the package means its easier for the package maintainer to update the profile, if that is something the package maintainer is willing to do. We are more than willing to take in profiles and patches to profiles, or allow a maintainer to claim some profiles and move them out of the apparmor package. What ever is best for the maintainer. AppArmor does have a second set of profiles that are not installed by default in the apparmor-profiles package. These profiles once installed are not enabled by default but must be selectively enabled by the user. If you are looking for a broader set of profiles as a base to start from there is also the apparmor.d project https://github.com/roddhjav/apparmor.d. They aren't tuned for ubuntu but they can be a good starting point if a profile is needed. Note: the current apparmor package doesn't allow you to specify the userns transition in policy. A new version of the apparmor package is coming that will allow it. -- You received this bug notification because you are a member of Ubuntu Studio Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Confirmed Status in angelfish package in Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Confirmed Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Confirmed Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Confirmed Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kiwix package in Ubuntu: Confirmed Status in konqueror package in Ubuntu: Confirmed Status in kontact package in Ubuntu: Confirmed Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~ubuntustudio-bugs Post to : ubuntustudio-bugs@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntustudio-bugs More help : https://help.launchpad.net/ListHelp
