Apparmor Breaks Flatpak and Firejail

Xubntu Daily Bulid 2-25 This is just a heads up is all.
Sent two Bug reports this morning for apparmor.

I have also tried throwing a few profiles in complain mode but to no avail.
Everything is normal if i disable apparmor:

me@Plucky-ZFS:~$ systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; disabled; preset>
     Active: inactive (dead)
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/

Add yourself to it if it affects you.

Well, your syslog on the second bug (would have been helpful to add this to the first one too) does not show any apparmor related denials related to flatpak or firejail … not sure this is actually apparmor’s fault (but people debugging it will likely track it down to the actual cause)

EDIT: my guess would go more towards a kernel bug here …

Spanky New Install today, and the same was seen on another Daily 2-22

sudo ls -alct /|tail -1|awk '{print $6, $7, $8}'
Feb 25 09:16

Great Minds, but I never found anything related to kernel outside of apparmor.
Again If apprmor is disabled all is good for both faltpaks and firejail.
Seem easy enough to me for proof.

Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.

apparmor is disabled currently.

All has been fixed in today’s 2-27 Xubuntu daily
Faltpak (Good)
Firejail (Good)

1fallen (Happy)

Wait it’s not fixed, I did not upgrade after the install, and now back to apparmor or permissions.

Flatpak will work using “sudo flatpak install” not Ideal…

Correct me if I’m wrong but, Flatpaks are being installed system-wide, and for many commands there is no need to use sudo (e.g. flatpak install, flatpak remove), but this is only “IF” the user is in the wheel group, i.e. has admin privileges.

Would the user not be in the wheel group, a wheel user’s authentication is required.

Note that there are certain flatpak commands (.e.g flatpak override), probably considered to be able to affect the system in undesired ways, that require running with sudo.

Firejail any browser and Internet is broke.

 Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 13957, child pid 13980
Warning: cannot find /var/run/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 270.49 ms
Gtk-Message: 09:06:52.058: Failed to load module "colorreload-gtk-module"
ATTENTION: default value of option mesa_glthread overridden by environment.

 sudo aa-status | grep firejail-default
   firejail-default

Anything else is fine eg:

sudo aa-status | grep surfshark
   surfshark
   /app/opt/Surfshark/surfshark (3300) bwrap//&unpriv_bwrap
   /app/opt/Surfshark/surfshark (3318) bwrap//&unpriv_bwrap
   /app/opt/Surfshark/surfshark (3335) bwrap//&unpriv_bwrap
   /app/opt/Surfshark/surfshark (3413) bwrap//&unpriv_bwrap
   /app/opt/Surfshark/surfshark (3464) bwrap//&unpriv_bwrap
   /app/opt/Surfshark/surfshark (3475) bwrap//&unpriv_bwrap

I just received this:

Georgia Garcia 22 hours ago

Changed in apparmor (Ubuntu):
assignee: nobody → Georgia Garcia (georgiag)
status: New → In Progress

To make firejail work i needed to remove the firejail-default profile.

sudo ln -s /etc/apparmor.d/firejail-default /etc/apparmor.d/disable/
[sudo] password for me: 

Don’t forget to reload apparmor after that change.

Both Bugs were confirmed, and Georgia was kind enough to give me a heads up.

I could reproduce this issue on linux 6.12 but plucky is soon moving to 6.14 in which this is no longer reproducible.

Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed

So @ogra is partly correct on the kernel front.
I’m unable to verify this just yet, I have ZFS to worry about as well.

On Plucky Apparmor breaks also os-prober so update-grub crashes in multi-boot systems
https://bugs.launchpad.net/ubuntu/+source/os-prober/+bug/2099811
The above bug is Private… sorry, so I resume the situation
os-prober crash with segmentation fault due to Apparmor.

Dang I don’t see that one @corradoventu at least yet I do not.

sudo update-grub
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/apparmor.cfg'
Generating grub configuration file ...
Found linux image: vmlinuz-6.12.0-16-generic in rpool/ROOT/ubuntu_p0h3hf
Found initrd image: initrd.img-6.12.0-16-generic in rpool/ROOT/ubuntu_p0h3hf
Found linux image: vmlinuz-6.12.0-15-generic in rpool/ROOT/ubuntu_p0h3hf
Found initrd image: initrd.img-6.12.0-15-generic in rpool/ROOT/ubuntu_p0h3hf
Found linux image: vmlinuz-6.11.0-8-generic in rpool/ROOT/ubuntu_p0h3hf
Found initrd image: initrd.img-6.11.0-8-generic in rpool/ROOT/ubuntu_p0h3hf
Found linux image: vmlinuz-linux-cachyos in zpcachyos/ROOT/cos/root
Warning: Couldn't find any valid initrd for dataset zpcachyos/ROOT/cos/root.
Warning: didn't find any valid initrd or kernel.
Found linux image: vmlinuz-linux-cachyos in zpcachyos/ROOT/cos/root@2-11
Warning: Couldn't find any valid initrd for dataset zpcachyos/ROOT/cos/root@2-11.
Warning: didn't find any valid initrd or kernel.
Found memtest86+ 64bit EFI image: /boot/memtest86+x64.efi
Found memtest86+ 32bit EFI image: /boot/memtest86+ia32.efi
Found memtest86+ 64bit image: /boot/memtest86+x64.bin
Found memtest86+ 32bit image: /boot/memtest86+ia32.bin
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
done

I’l try to enable it @grub first though.

Yep Thar She Blows:

Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
find: Failed to restore initial working directory: /home/me: Permission denied
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Adding boot menu entry for UEFI Firmware Settings ...
done

Let me know when you make it public @corradoventu and I’ll join it.

I made it public but the developer blocked it:

I’m moving this to private security as os-prober very much has large security impact and risk, as it uses the very unsafe grub FS drivers.

information type: Public → Private Security

Note : problem remains also with 6.14-rc4 kernel from mainline

bug/2099811is now PUBLIC

I just followed Alex’s lead (Post 13) from the report and I’m happy enough with that.

└─> sudo os-prober
┌───────────────────>

I did add my self to it though out of habit.

To be clear though I don’t depend on Grub for OS selections, I use rEFIind for my boot manager.

…I just followed Alex’s lead (Post 11) … or post 13?

With the fix in apparmor (post 13) Segmentation fault messages disappeared but after update-grub the grub menu shows only the 1st entry, all other os are missing.

yep post #13 Thanks for the correction.

Long story short I just don’t depend on grub, for Multi Drive boots…rEFInd has been my go to for that.

Problem with os-prober and update-grub has been fixed.

All good on all, firejail, flatpak, apparmor all behaving nicely again.
Rockin the Plucky now…
@ogra kernel 6.14 came in.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.