Issues with setting up and running an GUI with AppArmor

wyattb · May 21, 2025, 5:54pm

Operating System: Kubuntu 24.04,KDE Plasma Version: 5.27.12,KDE Frameworks Version: 5.115.0,Qt Version: 5.15.13,Kernel Version: 6.8.0-59-generic (64-bit)

I am trying to sandbox Asset Forge, (a gaming dev tool developed using Unity gaming engine), so it can access only it’s own folder and block access to my home folder, with some exceptions. I created a profile see below with complain but it blocks the app from running. If I comment out the last deny statement it runs fine.

Any help would be appreciated.

The app is https://kenney.nl/tools/asset-forge

Here is the profile parse command:

sudo apparmor_parser -r /etc/apparmor.d/"Asset Forge.x86_64"

When I run the app I get the following message blocking UnityPlayer.so

May 19 10:56:30 cactus plasmashell[32044]:
/home/user1/Documents/gameart/Asset Forge 2.5.1a Linux (Deluxe)/Asset
Forge.x86_64: error while loading shared libraries: UnityPlayer.so:
cannot open shared object file: No such file or directory

Here is the profile.

    # Last Modified: Sun May 18 19:28:47 2025
    include <tunables/global>
    
    # vim:syntax=apparmor
    # AppArmor policy for Asset Forge.x86_64

    "/home/user1/Documents/gameart/Asset Forge 2.5.1a Linux (Deluxe)/Asset Forge.x86_64" flags=(complain) {
      include <abstractions/base>
      include <abstractions/gnome>
      include <abstractions/lightdm>
    
      deny owner /home/*/.arduino15/** r,
   
      /** rm,
      /{,var/}run/** mrwk,
      owner "/home/*/.config/unity3d/**" rw,
      owner "/home/*/Documents/gameart/Asset Forge 2.5.1a Linux (Deluxe)/UnityPlayer.so" rm,
      owner "/home/*/Documents/gameart/Asset Forge 2.5.1a Linux (Deluxe)/**" r,
      owner /home/*/.cache/** rwk,
      owner /home/*/.cache/fontconfig/* r,
      owner /home/*/.config/dconf/user r,
      owner /home/*/.config/gtk-3.0/bookmarks r,
      owner /home/*/.config/gtk-3.0/colors.css r,
      owner /home/*/.config/gtk-3.0/gtk.css r,
      owner /home/*/.config/gtk-3.0/settings.ini r,
      owner /home/*/.config/gtk-3.0/window_decorations.css r,
      owner /home/*/.config/ibus/bus/ r,
      owner /home/*/.config/ibus/bus/* r,
      owner /home/*/.config/unity3d/** rw,
      owner /home/*/.config/user-dirs.dirs r,
      owner /home/*/.fonts.conf r,
      owner /home/*/.local/share/**/ r,
      owner /home/*/.local/share/mime/mime.cache r,
      owner /home/*/.local/share/recently-used.xbel rw,
      owner /home/*/Untitled-1.model rw,
      
      deny owner /home/** rwk,
    }

g-schick · May 21, 2025, 6:32pm

I didn’t work with AppArmor yet but I want to get to know about. So I searched the docs and found QuickProfileLanguage / Rule Modifiers.

From this section:
IMPORTANT: deny rules are evaluated before allow rules and cannot be overridden by an allow rule.
If I get this right your last deny rule will override every allow rule for /home/** - this rule will block complete access to /home, its subfolders and all content.

When there is no corresponding rule for a resource, AppArmor will block access to the resource and log it.
Therfore your last deny rule isn’t necessary. Only resources which are explicitly allowed may get accessed.

By the way - welcome to this community.