This bug was fixed in the package apparmor -
4.0.1really4.0.1-0ubuntu0.24.04.3
---
apparmor (4.0.1really4.0.1-0ubuntu0.24.04.3) noble; urgency=medium
* Revert to version 4.0.1-0ubuntu0.24.04.2 except for the patch
that enables the bwrap-userns-restrict profile (LP: #2072811).
Bug breaks Panwriter on 24.04 and 24.04.1.
Panwriter is _only_ distributed as an Appimage so there's no alternative
format.
Running the appimage with `--no-sandbox` does not help.
What got it working for me is this:
`sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0`
--
You receiv
Verification completed in bug 2064672
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
Hello klo, or anyone else affected,
Accepted apparmor into noble-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apparmor/4.0.1really4.0.1-0ubuntu0.24.04.3
in a few hours, and then in the -proposed repository.
Please help us by testing this new packag
electron apps could be started with --no-sandbox with executableArgs =
["no-sandbox"] in build mode for AppImage or Snap
https://www.electron.build/configuration/snap.html .
It is also bug opened on electron
https://github.com/electron/electron/issues/41066 with merged patch for
detecting such is
This bug was fixed in the package apparmor - 4.0.1really4.0.1-0ubuntu2
---
apparmor (4.0.1really4.0.1-0ubuntu2) oracular; urgency=medium
* Drop patch that enables bwrap profile
- d/p/u/enable-bwrap-profile.patch (LP: #2072811)
* d/apparmor.install
- remove bwrap-userns-restr
The attachment "apparmor_4.0.1-0ubuntu2.debdiff" seems to be a debdiff.
The ubuntu-sponsors team has been subscribed to the bug report so that
they can review and hopefully sponsor the debdiff. If the attachment
isn't a patch, please remove the "patch" flag from the attachment,
remove the "patch"
Sure that's fine thanks. I just wanted to make sure that this doesn't
get missed but unfortunately we don't have a mechanism for ensuring it.
Given that Noble has to have the "really" anyway, I would get the
ordering into Oracular resolved as soon as possible to avoid any
accidents - I don't see an
@Robie: define final. Right now this is for testing. Once testing is
done and if everything looks good then we will revise the version. The
plan was to go with an epoc version similar to
4.0.1really4.0.0-beta3-0ubuntu0.1 (suggestions welcome), and didn't want
to use/burn those until we are sure thi
@Georgia is the final fix for Oracular are you planning on a further
upload? Because 4.0.1-ubuntu2 is lower than the emergency fix for Noble
(4.0.1really4.0.0-beta3-0ubuntu0.1), and before Oracular is released we
need the package version to be higher than the one in Noble so as not to
break upgrade
Here's my proposed fix for oracular. It disables the bwrap profile so we can do
further tests. As was done on noble, it does require a reboot.
It's also available on this ppa:
https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu2
** Patch added: "apparmor_4.0.1-0ubuntu2.debdiff"
ht
This bug was fixed in the package apparmor -
4.0.1really4.0.0-beta3-0ubuntu0.1
---
apparmor (4.0.1really4.0.0-beta3-0ubuntu0.1) noble; urgency=medium
* Due to regression, revert changes in previous update back to a
source tree equivalent to 4.0.0-beta3-0ubuntu3 (LP: #2072811).
Thank you! I'll release the revert now then.
FTR:
The pending-sru report still shows autopkgtests as outstanding, but most
passed on retry - the report is just out of date. Normally I'd wait, but
on this occasion I think releasing the revert is on the more important
side of the trade-off of me ha
steam (non-snap) works, interface is brought up and can launch a game
known to trigger pressure vessel and bwrap.
steam snap is broken. The interface is brought up, but the games I have
tried can not launch. The failure however does not appear to be related
to the revert.It is not bwrap related bu
I have run through QRT tests as well, same results as @georgia in #28
In addition I have tested a couple flatpaks, steam (snap, and non-snap)
has NOT been tested yet, but I will have that one soon.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
@Robie Basak:
I ran QRT and the tests passed:
georgia@ubuntu:~/qrt-test-apparmor$ sudo ./install-packages test-apparmor.py
georgia@ubuntu:~/qrt-test-apparmor$ sudo ./test-apparmor.py
...
--
Ran 62 tests in 1974.585s
OK (skippe
I've arrived here from
https://github.com/telegramdesktop/tdesktop/issues/28156 after
experiencing the issue with telegram.
I installed the fix from proposed.
The problem is solved: now telegram works.
** Bug watch added: Telegram Desktop Github Issues tracker #28156
https://github.com/telegr
@Robie Basak (racb), thanks for the fix - seems to work for me:
1. Re-enabled the original profile
2. Enabled proposed repo
3. Installed updated apparmor version (4.0.1really4.0.0-beta3-0ubuntu0.1)
4. Reboot
5. Test KeepPassXC, Ksnip - can save again
p.s. I no longer see 'bwrap' under /etc/apparm
For information, this also breaks nextcloud client:
com.nextcloud.desktopclient.nextcloud
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072811
Title:
Apparmor: New update broke flatpak with `apparm
> N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
We will waive the usual testing period, but still will need to do some
testing. Reports from anyone affected appreciated!
Hello klo, or anyone else affected,
Accepted apparmor into noble-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apparmor/4.0.1really4.0.0-beta3-0ubuntu0.1
in a few hours, and then in the -proposed repository.
Please help us by testing this new packag
Thank you for testing!
> but only after a reboot
Understood, but fixing that involves removing a profile and unconfining
its corresponding binary, which could be dangerous. We'd have to ensure
that the user didn't have it installed for some other reason, etc. On
balance, and to get the revert out
@racb Your updated ppa package makes flatpak apps work again, but only
after a reboot.
Suggest either replacing bwrap-userns-restrict with an empty file (dpkg
scripts will then reload it) or running `apparmor_parser -R
/etc/apparmor.d/bwrap-userns-restrict` in .prerm
--
You received this bug not
Due to the "really" version bump, Oracular will also require a bump
before it is released, unless a 4.0.2 or similar upload happens in
Oracular first. Setting tasks accordingly.
** Also affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu
It did eventually get published and a quick test suggests that it works.
@bounty-zonal0a you would need to upgrade back to
4.0.1-0ubuntu0.24.04.2, *restore* /etc/apparmor.d/bwrap-userns-restrict
and then upgrade again if you want to test. The proposed revert package
should drop the file again (prop
I've prepared a reverting package update for testing but I've not tested
it myself yet because I'm waiting the PPA publisher. It may contain
mistakes. When publishing is done it'll be available at
ppa:racb/experimental3. However it's late here and I don't know when (or
if) the publisher will publis
For a future code review, here are the binary debdiffs of the regressing
SRU for amd64. I used this to gain some confidence that the conffile
changes in the apparmor binary package are the only changes that need
special handling.
** Attachment added: "debdiffs"
https://bugs.launchpad.net/ubunt
Thanks. I think I understand the cause and am preparing what I think
should resolve it.
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Robie Basak (racb)
** Changed in: apparmor (Ubuntu)
Status: Confirmed => In Progress
** Changed in: apparmor (Ubuntu)
Importance: Unde
downgrading and removing /etc/apparmor.d/bwrap-userns-restrict fixes the
issue, but then again so does just disabling bwrap-userns-restrict.
upgrading back to 4.0.1-0ubuntu0.24.04.2 does not create bwrap-userns-
restrict again even though dpkg-query -L apparmor lists the file. I'm
not familiar enou
I also have a computer not yet updated (still on 4.0.0-beta3-0ubuntu3)
and /etc/apparmor.d/bwrap-userns-restrict does not exist on that
computer.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072811
Not sure the downgrade touches this file.
After sudo apt install apparmor=4.0.0-beta3-0ubuntu3
libapparmor1=4.0.0-beta3-0ubuntu3 and reboot:
(flatpak not working)
$ apt policy apparmor
apparmor:
Installed: 4.0.0-beta3-0ubuntu3
Candidate: 4.0.1-0ubuntu0.24.04.2
Version table:
4.0.1-0u
'apt show -a' shows you all available versions apt knows about, it does
not tell you what's installed. You want 'dpkg -l apparmor' (or 'apt
policy apparmor').
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/
sudo apt install apparmor=4.0.0-beta3-0ubuntu3
libapparmor1=4.0.0-beta3-0ubuntu3 does not fix the issue for me. It
leaves me with 2 versions, and can't seem to remove the
4.0.0-beta3-0ubuntu3 version anymore.
```
$ apt show apparmor -a
Package: apparmor
Version: 4.0.1-0ubuntu0.24.04.2
Priority: st
Please could someone affected confirm that, without any workaround,
reverting to the previously published package resolves the issue, and
that upgrading back causes it to arise again? Then we can gain some
confidence that reverting the update is an appropriate course of action.
It looks like the p
Here is a straced syscall sequence broken by the bwrap profile:
176 openat(AT_FDCWD,
"…/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_64/steam-runtime-sniper/var/tmp-O9I2Q2",
O_RDONLY|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY) = 8
…
176 openat(8, "usr/etc", O_WRONLY
Regression introduced by this SRU:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072811
Title:
Apparmor: New update broke flatpak wit
This issue also affects the Telegram flatpak.
(ext4 default, not btrfs)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072811
Title:
Apparmor: New update broke flatpak with `apparmor="DENIED"`
To m
This issue also affects the steam flatpak.
(ext4 on lvm, not btrfs)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072811
Title:
Apparmor: New update broke flatpak with `apparmor="DENIED"`
To manag
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072811
Title:
A
Thanks for the initial analysis John, please let me know if you need
more info.
As a side note, I use BTRFS - given it's CoW, not sure if it's related
to the behaviour observed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://
There 3 profiles involved here (probably should be 4), with a call
dependency chain of
flatpak -> bwrap -> bwrap_unpriv
the flatpak profile does not show up in the logs but does end up
launching bwrap. The comm is being set by flatpak, and can not be
considered reliable for which executable is
** Package changed: evolution (Ubuntu) => apparmor (Ubuntu)
** Description changed:
The recent apparmor update appear to have broken some flatpak's ability to
save file, e.g.:
- org.keepassxc.KeePassXC
- org.ksnip.ksnip
It seems update introduced a new profile ("/etc/apparmor.d/bwrap-
42 matches
Mail list logo
