tup only works with sudo ("setgroups: Permission denied")

[uohmak4fvpqe]

So I just upgraded to ubuntu 24.04. Now, this is what I get :

$ tup
/proc/11285/setgroups: Permission denied
tup error: Unable to deny setgroups when setting up user namespace.
tup error: master_fork server did not start up correctly.

However, sudo tup works

[uohmak4fvpqe]

GPT and I have been investigating on that. Turns out apparmor was making the trouble, and this solved the issue for me:

1. delete /etc/apparmor.d/tup or any file there named after tup
2. create the file /etc/apparmor.d/usr.local.bin.tup (adapt the filename and file content to your tup path):

   #include <tunables/global>
   "/usr/local/bin/tup" {
   #include <abstractions/base>
   capability sys_admin,
   mount,umount,
   /** rwk,
   /** ix,
   }

3. run sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.tup

This basically allows everything tup might have requested for during my tests. in case I missed anything and you have tup complain about missing rights, you can then run aa-notify -s 1 -v to see what was denied and tune the file above

[danielytics]

I had to add flags=(attach_disconnected) to mine to make it work:

#include <tunables/global>
"/usr/local/bin/tup" flags=(attach_disconnected) {
  #include <abstractions/base>
  capability sys_admin,
  mount,umount,
  /** rwk,
  /** ix,
}

I don't really know anything about AppArmor so I don't know why I needed it and why that worked, but in case other people are having trouble getting it to work, adding that worked for me.

This is what I saw in journalctl -xe before adding it:

Jul 23 10:16:26 mosi kernel: audit: type=1400 audit(1721726186.039:4133): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="/usr/local/bin/tup" name="home/dan/foo/.tup/tmp/>```