AppArmor policy on ubuntu 24.04 + SegFault

[GuillaumeCisco]

Expected behavior: Teleport-connect launches correctly without bugs

Current behavior: Teleport-connect displays an error on launch, and after fix still segfault sometimes

Bug details:

• Teleport version: 16.0.1
• Recreation steps

$> teleport-connect
LaunchProcess: failed to execvp:
/opt/Teleport
[34780:0618/110357.688481:FATAL:zygote_host_impl_linux.cc(201)] Check failed: . : Invalid argument (22)
Trace/breakpoint trap (core dumped)

This issue appeared after upgrading to ubuntu 24.04. It looks like there is an issue with electron app based on chromium:

• https://github.com/electron/electron/issues/41066
• https://forum.unity.com/threads/unity-hub-and-x-ubuntu-24-04-not-starting-workaround.1586640/

I used this workaround: Create file /etc/apparmor.d/teleport-connect with content:

abi <abi/4.0>,
include <tunables/global>

profile teleport-connect /opt/Teleport\ Connect/teleport-connect flags=(unconfined) {
userns,

# Site-specific additions and overrides. See local/README for details.
include if exists <local/teleport-connect>
}

Then: $> sudo systemctl restart apparmor.service

Sometimes it works with a displayed error, sometimes it directly segfault:

$> teleport-connect --trace-warnings
(node:41551) UnhandledPromiseRejectionWarning: Error: Window was closed before frontend app got initialized
    at BrowserWindow.<anonymous> (/opt/Teleport Connect/resources/app.asar/build/app/main/index.js:21565:9)
    at Object.onceWrapper (node:events:633:26)
    at BrowserWindow.emit (node:events:530:35)
    at emitUnhandledRejectionWarning (node:internal/process/promises:201:15)
    at processPromiseRejections (node:internal/process/promises:297:13)
    at process.processTicksAndRejections (node:internal/process/task_queues:96:32)
(node:41551) Error: Window was closed before frontend app got initialized
    at BrowserWindow.<anonymous> (/opt/Teleport Connect/resources/app.asar/build/app/main/index.js:21565:9)
    at Object.onceWrapper (node:events:633:26)
    at BrowserWindow.emit (node:events:530:35)
Segmentation fault (core dumped)

$> teleport-connect --trace-warnings
Segmentation fault (core dumped)

• Debug logs Using gdb with bt does not show any valuable information.

  Thread 1 "teleport-connec" received signal SIGSEGV, Segmentation fault.
  0x000060a3b7ca34c8 in ?? ()
  (gdb) bt
  #0  0x000060a3b7ca34c8 in ??? ()
  #1  0x000016d00015dc00 in ??? ()
  ...

[rmntrvn]

Some isssue in kubuntu 24.04, teleport version 16.01

[ravicious]

Thanks for a detail bug report! We're waiting to learn how VSCode addressed this issue. https://github.com/electron/electron/issues/41066#issuecomment-2185907037

In the meantime, I wonder how correct that profile shared on the Unity forum is. In the original Ubuntu blogpost, they show this example profile:

abi <abi/4.0>,

include <tunables/global>

/opt/google/chrome/chrome flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/chrome>
}

Notice how it just starts with the path to the executable, not with profile chrome <path>.

In the docs for apparmor profiles, it states that the profile … syntax is for unattached profiles:

Unattached profiles do not reside in the file system namespace and therefore are not automatically attached to an application. The name of an unattached profile is preceded by the keyword profile. (…)

Unattached profiles are never used automatically, nor can they be transitioned to through a Px rule. They need to be attached to a program by either using a named profile transition (see Section 34.12.7, “Named profile transitions”) or with the change_profile rule (see Section 34.2.5, “Change rules”).

Does it help if you change Connect's profile to the following one?

abi <abi/4.0>,
include <tunables/global>

/opt/Teleport\ Connect/teleport-connect flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/teleport-connect>
}

[GuillaumeCisco]

Hello, thank you for your message. I tried with an unattached profile and unfortunately, I still have pretty ofently "Segmentation fault (core dumped)" :/

[ravicious]

I updated my Linux laptop today to Ubuntu 24.0 and I can confirm that the fix suggested by you works. The profile I suggested in https://github.com/gravitational/teleport/issues/43168#issuecomment-2185986769 does not work at all. I'll try to add automatic provisioning of the profile in the next day or two.

I wasn't able to reproduce the segfault after adding the profile though. Connect seems to start just fine and I relaunched the app like 20 times, both from the desktop and the terminal.

I think our best bet is to wait for Connect v16.0.2 or greater. It will include an update to Electron. Then we can check if you are able to reproduce the segfault with the profile present. If not, I'll create a separate issue to track that problem.