Agreed we can't ask for a user to create a profile for every
application, apparmor profiles can be shared, and having a generic
profile that can be opted into makes sense. We are working towards it,
this is just the first iteration. One of the things we are working on is
abstracting what the curren
There is another improvement coming before prompt that may (it will
depend on the sandbox) also take care of many of the browser sandbox
issues, as well as a few other uses of unprivileged user namespaces. On
user namespace creation we will be able to transition the profile to a
new profile with a
kdeplasma should be a fairly easy fix without prompting. I'll work on a
profile for it and its add-ons
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user names
Sorry for the delay on this, we had some bugs to chase down. The
following PPA has an update to how user namespace mediation is being
handled. For the unconfined case there are two options
1. If the unprivileged_userns profile does not exist, unprivileged user
namespace creation is denied as befor
We have found that allowing the user namespace creation, and then
denying capabilities is in general handled much better by KDE. The the
case of the plasmashell and the browswer widget denying the creation of
the user namespace would cause a crash with a SIGTRAP backtrace, where
allowing the creati
So the answer is it depends on how they are using unprivileged user
namespaces and how they react to them being denied, not every
application needs to patched separately.
Generally speaking gnome has been better tested than KDE had because
gnome being the Ubuntu default saw a lot more opt in testi
One more addition, the current state of how unconfined deals with
unprivileged user namespaces is a temporary limitation. The afore
mentioned improvement will allow for more customization at the policy
level. The current fixed behavior will be the default.
--
You received this bug notification be
Erich,
yes the archive version is based on the ppa, with a couple small fixes
in the packaging. The ppa is going to get updated based the new archive
version + a few more patches.
Do you have some higher priority electron apps that you can point us at.
We will look into the Visual Studo and Eleme
So appimages are interesting. They don't all need a profile. I have run
several that are not using user namespaces, or only need to be able to
create the user namespace and don't need capabilities so the default
unpriviled_userns profile works for them.
It is applications that need privileges with
** Changed in: steam (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions caus
This is part of the alpha4 release in noble
** Changed in: kdeplasma-addons (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Titl
This is part of the apparmor alpha4 release in noble
** Changed in: plasma-desktop (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/20468
@scarlet I think it is fair to mark these as Fixed released as they are
part of apparmor-alpha4 that is in noble.
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor
** Changed in: steam (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions c
@valeryan-24 ModuleNotFoundError: No module named 'imp'" says that your
Gpodder issue is not related to this bug. You are missing a dependency
the 'imp' module. If Gpodder is packaged it will need to add that as
part of its install dependencies.
--
You received this bug notification because you a
@guyster, @eldmannen+launchpad, @valeryan-24
Firefox dailies now have a work around, by detecting and disabling the
user namespace. The proper fix that should allow firefox to still use
the user namespace for its sandbox will land in Beta3, landing early
next week.
--
You received this bug notif
@eeickmeyer geary should be fixed in Beta3
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to cras
@sudipmuk loupe should be fixed in Beta3
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash
I have tried freecad and unprivileged user namespace restrictions are
not the problem. freecad snap works, freecad ppa does not have a noble
build yet but the mantic build can be made to work.
freecad daily appimage: works
freecad appimage: stable fails with mesa or qt errors depending on how/wher
supercollider will work on current noble. Since it is using QTWebEngine
it has a graceful fallback when capabilities within the user namespace
are denied.
supercollider will have a profile and be fixed in Beta3, so it doesn't
even have to do the fallback.
--
You received this bug notification be
** Changed in: loupe (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: geary (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
** Changed in: firefox (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
--
You received this bug notific
I have tested gnome-packagekit and it never trigger unprivileged user
namespace mediation. Can you please provide more information on how you
triggered it.
** Changed in: gnome-packagekit (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a memb
we will be fixed in Beta3
** Changed in: gnome-packagekit (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Ti
Will be fixed in Beta3
** Changed in: goldendict-webengine (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046
sorry this won't be fixed in Beta3 that note was for goldendict
** Changed in: gnome-packagekit (Ubuntu)
Assignee: John Johansen (jjohansen) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug repor
this will be fixed in Beta
** Changed in: kchmviewer (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: rssguard (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: supercollider (Ubuntu)
Assignee: (unassigned) => John
hi @vvaleryan-24,
I have been able to replicate the crash you are seeing but it is not do
to the user namespace restriction. The restrictions logging does not
happen, and I can put it in an unconfined profile and it still doesn't
help. From dmesg I find the following segfault
[79854.520976] gpk-a
@kc2bez:
there are no updated deb packages in the ppa for kiwix.
the kiwix appimage worked for me.
kiwix flatpak worked for me.
I am not sure what you were seeing. But I we are going to need more
information.
** Changed in: kiwix (Ubuntu)
Status: Confirmed => Incomplete
--
You received
@kc2bez: notepadqq should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to cra
@kc2bez: pageedit should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to cras
@kc2bez: I have been able to verify that privacybrowser is not working.
However it is not due to the apparmor user namespace restrictions.
I get the following segfault out of dmesg
[ 1591.466016] privacybrowser[7743]: segfault at 8 ip 70bb4dd11ccc sp
7ffd5c6587e0 error 4 in libQt5Core.so.
@kc2bez: qmapshack should be fixed in beta3
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to cra
@arraybolt3: qutebrowser should be fixed in beta3
** Changed in: qutebrowser (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: qmapshack (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: notepadqq (Ubuntu)
Assignee: (unas
@ajg-charlbury: yes, firefox we are well aware of the problem, the
firefox profile has been tweaked for beta3 (landing this week) so that
it should work with the new deb.
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
h
@ajg-charlbury: no apparmor beta3 has not landed in proposed yet, we are
working on the upload now. firefox separately have added a bug fix that
will detect when the user namespace/capabilities are denied and fallback
without crashing but it disables the full sandbox.
the apparmor-beta3 fix should
@coeur-noir:
Are you installing firefox to /opt/ as recommended or using it local in
your user account?
as for bwarp, maybe it is known to be problematic. It is allowed to run and to
create a user namespace but it is denied all capabilities within the namespace.
Can you run
sudo dmesg | grep
We have an update of the firefox profile coming that supports the
/opt/firefox/firefox location used as the default install for the
firefox downloaded directly from mozilla.org
If you are running firefox out of your home directory, that will not be
directly supported and you will need to chose to
@arraybolt3 is correct. Both unshare and bwrap will not get a unconfined
profile, as that allows for an arbitrary by-pass of the restriction.
There is a potential solution in the works that will allow for bwrap and
unshare to function as long as the child task does not require
permissions but at th
@arraybolt3: Answer to your question. bwrap requires capabilities within
the user namespace. unshare is a little more forgiving in that what it
requires depends on the options passed but most of the options also
require capabilities within the user namespace.
The potential solution I mention is co
The Wike fix is coming in the next SRU.
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash w
Balena Etcher 1.18 dpkg won't install on 24.04 due to dependency issues,
1.19.16 installs fine and runs, but in a degraded sandbox mode. So
adding a profile for it would be beneficial
The appimage version of Belena Etcher unfortunately fails to run. We can not
provide a default profile for the ap
@u-dal:
This sounds like the apparmor policy is not being loaded can you please
provide the output of
```
sudo aa-status
```
and
```
sudo systemctl status apparmor
```
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
@u-dal:
are you running in a live cd environment? Something odd is happening on your
system, with some profiles loaded and systemctl reporting
ConditionPathExists=!/rofs/etc/apparmor.d
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to t
@u-dal:
the problem with firefox (it has a snap profile and is allowed access to
user namespaces) is different than with chrome (no profile loaded), but
still might be apparmor related. Can you look in dmesg for apparmor
denials
```
sudo dmesg | grep DENIED
```
--
You received this bug notifi
For the thunderbird issue I have created
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064363
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user nam
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
@xmedeko The handling of spaces has nothing to do with the user
namespace restriction that this bug, and the upstream git hub issue are
tracking.
can you attach any additional information. kernel logs etc.
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, whic
On 12/14/24 01:29, hifron wrote:
> Electron apps could be made without sandbox usage - this could be setup
> as compile options or electron settings, but it is not so good idea...
> maybe temporarily as in between maybe, maybe not...
>
> but todays there is reality that prompting-client could be i
On 11/16/24 06:42, Sam wrote:
> I was wondering about the threats being mitigated by disabling
> unprivileged userns like this. After some searching, I was able to find
> this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user-
> namespace-restrictions-via-apparmor-in-ubuntu-23-10/376
49 matches
Mail list logo
