search

roddhjav / apparmor.d

Full set of AppArmor profiles (~ 1500 profiles)
https://apparmor.pujol.io
GNU General Public License v2.0
425 stars 40 forks source link

strawberry, nemo profiles appear to be broken + xwayland profile breaks steam games #407

Open odomingao opened 1 month ago

odomingao commented 1 month ago

dmesg error line on strawberry:

[  478.914254] audit: type=1400 audit(1720630930.696:2622): apparmor="DENIED" operation="file_inherit" class="file" info="Failed name lookup - disconnected path" error=-13 profile="strawberry" name="dev/tty1" pid=4521 comm="strawberry" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

errors when launching the program from the command line:

14:46:50.463 INFO  main:165                         Strawberry is already running - activating existing window (1)
14:46:55.463 WARN  unknown                          Connection timed out
14:46:55.463 ERROR main:168                         Could not send message to primary instance.

XWayland errors when launching steam games:

[ 3292.527412] audit: type=1400 audit(1720633744.296:10202): apparmor="DENIED" operation="capable" class="cap" profile="xwayland" pid=2361 comm="Xwayland" capability=19  capname="sys_ptrace"
[ 3293.042796] audit: type=1400 audit(1720633744.810:10203): apparmor="DENIED" operation="capable" class="cap" profile="xwayland" pid=2361 comm="Xwayland" capability=19  capname="sys_ptrace"
[ 3294.400645] audit: type=1400 audit(1720633746.170:10204): apparmor="DENIED" operation="capable" class="cap" profile="xwayland" pid=2361 comm="Xwayland" capability=19  capname="sys_ptrace"
[ 3294.597848] audit: type=1400 audit(1720633746.366:10205): apparmor="DENIED" operation="capable" class="cap" profile="xwayland" pid=2361 comm="Xwayland" capability=19  capname="sys_ptrace"
[ 3299.836038] audit: type=1400 audit(1720633751.603:10208): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so" pid=12922 comm="Xwayland" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 3299.836061] audit: type=1400 audit(1720633751.603:10209): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_64/gameoverlayrenderer.so" pid=12922 comm="Xwayland" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

A few more lines of "open" errors are omitted. I believe the "open" errors are what prevent the games from launching successfully, as I am restricting ptrace already through other means.

Setting both profiles to complain mode fixes the issues.

edit: nemo also doesn't work.

dmesg:

[12245.851559] audit: type=1400 audit(1720642697.561:22530): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/run/user/1000/dconf/user" pid=17936 comm="nemo" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
[12245.851644] audit: type=1400 audit(1720642697.561:22531): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.config/dconf/user" pid=17936 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

nemo command line errors:

(nemo:17936): dconf-CRITICAL **: 17:18:17.565: unable to create file '/run/user/1000/dconf/user': Permission denied.  dconf will not work properly.
(nemo:17936): Gtk-CRITICAL **: 17:18:25.327: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
roddhjav commented 1 month ago

What distribution/desktop environment are you using?

odomingao commented 1 month ago

What distribution/desktop environment are you using?

Arch, Hyprland

roddhjav commented 1 month ago

Should be fixed now. Can you provide more info about xwayland logs? Are they always the same open path?

odomingao commented 1 month ago

Should be fixed now. Can you provide more info about xwayland logs? Are they always the same open path?

Thank you. They are not fixed, though now the denied actions are different:

nemo dmesg:

[ 1598.946746] audit: type=1400 audit(1720706457.822:4831): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.zsh_history" pid=2467 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1610.370533] audit: type=1400 audit(1720706469.245:4836): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.zsh_history" pid=2467 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1614.769651] audit: type=1400 audit(1720706473.645:4837): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.viminfo" pid=2467 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1614.769921] audit: type=1400 audit(1720706473.645:4838): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.viminfo" pid=2467 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1617.539163] audit: type=1400 audit(1720706476.412:4840): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.cache/thumbnails/" pid=15191 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1617.555020] audit: type=1400 audit(1720706476.429:4841): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/usr/share/nemo/icons/hicolor/16x16/emblems/" pid=15191 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1617.556140] audit: type=1400 audit(1720706476.432:4842): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/usr/share/nemo/icons/hicolor/24x24/emblems/" pid=15191 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1617.557623] audit: type=1400 audit(1720706476.432:4843): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/usr/share/nemo/icons/hicolor/48x48/emblems/" pid=15191 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1617.562190] audit: type=1400 audit(1720706476.435:4844): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/usr/share/nemo/icons/" pid=15191 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1617.573712] audit: type=1400 audit(1720706476.449:4845): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.local/share/gvfs-metadata/home" pid=15191 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1617.602383] audit: type=1400 audit(1720706476.475:4846): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.config/nemo/bookmark-metadata" pid=15191 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1617.606525] audit: type=1400 audit(1720706476.482:4847): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.local/share/gvfs-metadata/home" pid=15191 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1617.607235] audit: type=1400 audit(1720706476.482:4848): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.local/share/gvfs-metadata/home" pid=15191 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1626.004553] audit: type=1400 audit(1720706484.879:4894): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.cache/thumbnails/" pid=15274 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1626.020463] audit: type=1400 audit(1720706484.895:4895): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/usr/share/nemo/icons/hicolor/16x16/emblems/" pid=15274 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1626.021381] audit: type=1400 audit(1720706484.895:4896): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/usr/share/nemo/icons/hicolor/24x24/emblems/" pid=15274 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1626.022780] audit: type=1400 audit(1720706484.899:4897): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/usr/share/nemo/icons/hicolor/48x48/emblems/" pid=15274 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1626.027277] audit: type=1400 audit(1720706484.902:4898): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/usr/share/nemo/icons/" pid=15274 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1626.039266] audit: type=1400 audit(1720706484.912:4899): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.local/share/gvfs-metadata/home" pid=15274 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1626.066984] audit: type=1400 audit(1720706484.942:4900): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.config/nemo/bookmark-metadata" pid=15274 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1626.071620] audit: type=1400 audit(1720706484.945:4901): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.local/share/gvfs-metadata/home" pid=15274 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 1626.072230] audit: type=1400 audit(1720706484.945:4902): apparmor="DENIED" operation="open" class="file" profile="nemo" name="/home/user/.local/share/gvfs-metadata/home" pid=15274 comm="pool-nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

command line:

(nemo:15274): Nemo-WARNING **: 11:01:24.846: Current gtk theme is not known to have nemo support (Breeze) - checking...

(nemo:15274): Nemo-WARNING **: 11:01:24.883: The theme appears to have no nemo support.  Adding some...

(nemo:15274): GVFS-WARNING **: 11:01:24.918: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied
Fontconfig error: "/etc/fonts/local.conf", line 7: not well-formed (invalid token)
Fontconfig warning: "/etc/fonts/local.conf", line 7: invalid attribute 'name'
Fontconfig warning: "/etc/fonts/local.conf", line 7: invalid attribute 'mode'
Fontconfig warning: "/etc/fonts/local.conf", line 7: invalid attribute 'target'

(nemo:15274): Nemo-WARNING **: 11:01:24.946: Could not load bookmark metadata file: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.951: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): Gtk-WARNING **: 11:01:24.951: Creating a portal monitor failed: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.Inhibit” on object at path /org/freedesktop/portal/desktop

(nemo:15274): GVFS-WARNING **: 11:01:24.951: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.954: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.954: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.967: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.967: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.967: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.967: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.978: can't init metadata tree /home/user/.local/share/gvfs-metadata/root: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.980: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.981: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.981: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.981: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.981: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied

(nemo:15274): GVFS-WARNING **: 11:01:24.981: can't init metadata tree /home/user/.local/share/gvfs-metadata/home: open: Permission denied
ERROR SET META:0 Error setting file metadata: can’t open metadata tree
ERROR SET META:0 Error setting file metadata: can’t open metadata tree
ERROR SET META:0 Error setting file metadata: can’t open metadata tree

(nemo:15274): GVFS-WARNING **: 11:01:25.027: can't init metadata tree /home/user/.local/share/gvfs-metadata/root: open: Permission denied

the GUI for nemo also displays the error: This folder contents could not be displayed. You do not have the permissions necessary to view the contents of "user".

strawberry also still seems broken. dmesg:

[ 1947.264584] audit: type=1400 audit(1720706806.136:4948): apparmor="DENIED" operation="mknod" class="file" profile="strawberry" name="/tmp/kdsingleapp-user-strawberry.lock" pid=15958 comm="strawberry" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 1957.187913] audit: type=1400 audit(1720706816.060:4949): apparmor="DENIED" operation="mknod" class="file" profile="strawberry" name="/tmp/kdsingleapp-user-strawberry.lock" pid=15991 comm="strawberry" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 1999.984198] audit: type=1400 audit(1720706858.856:4950): apparmor="DENIED" operation="mknod" class="file" profile="strawberry" name="/tmp/kdsingleapp-user-strawberry.lock" pid=16038 comm="strawberry" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 2008.066532] audit: type=1400 audit(1720706866.939:4951): apparmor="DENIED" operation="mknod" class="file" profile="strawberry" name="/tmp/kdsingleapp-user-strawberry.lock" pid=16054 comm="strawberry" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

command line:

11:07:46.944 INFO  main:165                         Strawberry is already running - activating existing window (1)
11:07:51.944 WARN  unknown                          Connection timed out
11:07:51.944 ERROR main:168                         Could not send message to primary instance.

I've noticed that the Xwayland profile is an issue specifically with gamescope, as removing it from the launch options allows the games to successfully run. I should add that not only the game will fail to launch in these scenarios, but Steam will also be unable to close the game, and Steam itself will be stuck when you attempt to close it (though clicking "Exit now" does work)

xwayland profile denied actions when attempting to open a steam game via proton experimental (far cry 3, yugioh master duel) with gamescope:

[ 2201.400708] audit: type=1400 audit(1720707060.275:5024): apparmor="DENIED" operation="capable" class="cap" profile="xwayland" pid=2389 comm="Xwayland" capability=19  capname="sys_ptrace"
[ 2202.318769] audit: type=1400 audit(1720707061.191:5026): apparmor="DENIED" operation="capable" class="cap" profile="xwayland" pid=2389 comm="Xwayland" capability=19  capname="sys_ptrace"
[ 2204.173300] audit: type=1400 audit(1720707063.048:5030): apparmor="DENIED" operation="capable" class="cap" profile="xwayland" pid=2389 comm="Xwayland" capability=19  capname="sys_ptrace"
[ 2204.909848] audit: type=1400 audit(1720707063.785:5031): apparmor="DENIED" operation="capable" class="cap" profile="xwayland" pid=2389 comm="Xwayland" capability=19  capname="sys_ptrace"
[ 2232.618088] audit: type=1400 audit(1720707091.491:5063): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so" pid=16912 comm="Xwayland" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2232.618114] audit: type=1400 audit(1720707091.491:5064): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_64/gameoverlayrenderer.so" pid=16912 comm="Xwayland" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2232.656796] audit: type=1400 audit(1720707091.531:5065): apparmor="DENIED" operation="mknod" class="file" profile="xwayland" name="/home/user/.local/share/Steam/steamapps/shadercache/3621795166/mesa_shader_cache_sf/de46790e9e05412307fde9bd511399566f68b2d2/BONAIRE/foz_cache.foz" pid=16912 comm="Xwayland" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 2232.657951] audit: type=1400 audit(1720707091.531:5066): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/steamapps/shadercache/3621795166/mesa_shader_cache_sf/de46790e9e05412307fde9bd511399566f68b2d2/BONAIRE/foz_cache.foz" pid=16912 comm="Xwayland" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000
[ 2232.657972] audit: type=1400 audit(1720707091.531:5067): apparmor="DENIED" operation="mknod" class="file" profile="xwayland" name="/home/user/.local/share/Steam/steamapps/shadercache/3621795166/mesa_shader_cache_sf/de46790e9e05412307fde9bd511399566f68b2d2/BONAIRE/foz_cache_idx.foz" pid=16912 comm="Xwayland" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 2232.658403] audit: type=1400 audit(1720707091.531:5068): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/steamapps/shadercache/3621795166/mesa_shader_cache_sf/de46790e9e05412307fde9bd511399566f68b2d2/BONAIRE/foz_cache_idx.foz" pid=16912 comm="Xwayland" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000
[ 2593.998953] audit: type=1400 audit(1720707452.869:5153): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so" pid=18589 comm="Xwayland" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2593.998962] audit: type=1400 audit(1720707452.869:5154): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_64/gameoverlayrenderer.so" pid=18589 comm="Xwayland" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2594.037965] audit: type=1400 audit(1720707452.906:5155): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/mnt/ssd480/Games/Steam/SteamLibrary/steamapps/shadercache/1449850/mesa_shader_cache_sf/de46790e9e05412307fde9bd511399566f68b2d2/BONAIRE/foz_cache.foz" pid=18589 comm="Xwayland" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000
[ 2594.038078] audit: type=1400 audit(1720707452.906:5156): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/mnt/ssd480/Games/Steam/SteamLibrary/steamapps/shadercache/1449850/mesa_shader_cache_sf/de46790e9e05412307fde9bd511399566f68b2d2/BONAIRE/foz_cache_idx.foz" pid=18589 comm="Xwayland" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000
[ 2594.137812] audit: type=1400 audit(1720707453.006:5157): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so" pid=18600 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2594.137828] audit: type=1400 audit(1720707453.006:5158): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_64/gameoverlayrenderer.so" pid=18600 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2594.140362] audit: type=1400 audit(1720707453.009:5159): apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="xwayland" name="/usr/bin/xkbcomp" pid=18600 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="xkbcomp"
[ 2594.144179] audit: type=1400 audit(1720707453.012:5160): apparmor="DENIED" operation="open" class="file" profile="xwayland" name="/home/user/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so" pid=18601 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

I've also experienced issues with Tor Browser (gpg profile). Not sure if I'm supposed to create a different issue for this, so I'll post logs here. If you'd prefer, I can create a new issue for each profile moving forward.

gpg denied actions:

[ 2994.148570] audit: type=1400 audit(1720707853.017:5173): apparmor="DENIED" operation="open" class="file" profile="gpg" name="/home/user/.local/share/torbrowser/gnupg_homedir/pubring.kbx" pid=18960 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2994.148578] audit: type=1400 audit(1720707853.017:5174): apparmor="DENIED" operation="mknod" class="file" profile="gpg" name="/home/user/.local/share/torbrowser/gnupg_homedir/.#lk0x00000b6464bb5950.host.18960" pid=18960 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 2994.151256] audit: type=1400 audit(1720707853.021:5175): apparmor="DENIED" operation="mknod" class="file" profile="gpg" name="/home/user/.local/share/torbrowser/gnupg_homedir/.#lk0x00000b6464bd4210.host.18960" pid=18960 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 2994.151279] audit: type=1400 audit(1720707853.021:5176): apparmor="DENIED" operation="mknod" class="file" profile="gpg" name="/home/user/.local/share/torbrowser/gnupg_homedir/.#lk0x00000b6464bd4210.host.18960" pid=18960 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 3013.258871] audit: type=1400 audit(1720707872.127:5183): apparmor="DENIED" operation="open" class="file" profile="gpg" name="/home/user/.local/share/torbrowser/gnupg_homedir/pubring.kbx" pid=19006 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 3013.258892] audit: type=1400 audit(1720707872.127:5184): apparmor="DENIED" operation="mknod" class="file" profile="gpg" name="/home/user/.local/share/torbrowser/gnupg_homedir/.#lk0x00000be0e43019b0.host.19" pid=19006 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 3013.260841] audit: type=1400 audit(1720707872.131:5185): apparmor="DENIED" operation="mknod" class="file" profile="gpg" name="/home/user/.local/share/torbrowser/gnupg_homedir/.#lk0x00000be0e4320210.host.19" pid=19006 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 3013.260854] audit: type=1400 audit(1720707872.131:5186): apparmor="DENIED" operation="mknod" class="file" profile="gpg" name="/home/user/.local/share/torbrowser/gnupg_homedir/.#lk0x00000be0e4320210.host.19" pid=19006 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

command line errors:

Tor Browser Launcher
By Micah Lee & Tor Project, licensed under MIT
version 0.3.7
https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/
Traceback (most recent call last):
  File "/usr/bin/torbrowser-launcher", line 31, in <module>
    torbrowser_launcher.main()
  File "/usr/lib/python3.12/site-packages/torbrowser_launcher/__init__.py", line 81, in main
    common = Common(tor_browser_launcher_version)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/torbrowser_launcher/common.py", line 61, in __init__
    self.init_gnupg()
  File "/usr/lib/python3.12/site-packages/torbrowser_launcher/common.py", line 204, in init_gnupg
    self.import_keys()
  File "/usr/lib/python3.12/site-packages/torbrowser_launcher/common.py", line 289, in import_keys
    imported = self.import_key_and_check_status(key)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/torbrowser_launcher/common.py", line 271, in import_key_and_check_status
    if result and self.fingerprints[key] in result.imports[0].fpr:
                                            ~~~~~~~~~~~~~~^^^
IndexError: list index out of range

the chromium wrapper profile also fails to launch through bubblejail, though I'm not sure if this is an apparmor.d issue or a bubblejail issue (every other error could be reproduced regardless of the application being bubblejailed, but this one is specific to bubblejail). The "no new privs" error is exclusive to bubblejail, but the failure to open the flags file also happens when the program is launched normally, resulting in the flags specified in the file not being applied, though the program does launch.

[ 3734.677743] audit: type=1400 audit(1720708593.544:5347): apparmor="DENIED" operation="open" class="file" profile="chromium-wrapper" name="/home/user/.config/chromium-flags.conf" pid=21270 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 3734.679640] audit: type=1400 audit(1720708593.544:5348): apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="chromium-wrapper" name="/usr/lib/chromium/chromium" pid=21270 comm="chromium" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="chromium"
roddhjav commented 1 month ago

I'll have a look at this. However, please move all profiles to complain mode while you are testing them. Otherwise, apparmor blocks program on the first issue and you won't be able to see any following logs.

Also, what is your distribution and desktop environment?

odomingao commented 1 month ago

I'll have a look at this. However, please move all profiles to complain mode while you are testing them. Otherwise, apparmor blocks program on the first issue and you won't be able to see any following logs.

Also, what is your distribution and desktop environment?

Apologies, I'll do this moving forward. I'm on Arch, Hyprland.

Tor Browser's profile (torbrowser.Browser.firefox) also has issues when launching through Bubblejail. I've also had to set systemd-machined profile to complain in order to allow intgr's ego (https://github.com/intgr/ego) to work. I've also now noticed that there are issues with the profile for dunst.

Here's the output from sudo aa-log -s -R, after using each program for a bit in complain mode. I've redacted personal information such as filenames accessed and urls. I'm also grepping out profile="xdg-dbus-proxy" as these entries don't seem relevant and some contain personal information. I apologize in advance if there is a lot of redundant and repeated information in the logs.

(the file is 800 lines long... therefore I'll post as an attachment instead)

aa-noxdgdbusproxy.log

I've also noticed when looking at the logs that the pkexec profile seems to interfere with gamemode. I'm grepping for this specific profile and posting it below after placing it on complain and requesting gamemode.

apparmor="DENIED" operation="exec" class="file" profile="pkexec" name="/usr/lib/gamemode/cpugovctl"  comm="pkexec" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="DENIED" operation="exec" class="file" profile="pkexec" name="/usr/lib/gamemode/procsysctl"  comm="pkexec" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="DENIED" operation="exec" class="file" profile="pkexec" name="/usr/lib/gamemode/gpuclockctl"  comm="pkexec" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="ALLOWED" operation="exec" class="file" profile="pkexec" name="/usr/lib/gamemode/cpugovctl"  comm="pkexec" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="pkexec//null-/usr/lib/gamemode/cpugovctl"
apparmor="ALLOWED" operation="file_mmap" class="file" profile="pkexec//null-/usr/lib/gamemode/cpugovctl" name="/usr/lib/gamemode/cpugovctl"  comm="cpugovctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="exec" class="file" profile="pkexec" name="/usr/lib/gamemode/gpuclockctl"  comm="pkexec" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="pkexec//null-/usr/lib/gamemode/gpuclockctl"
apparmor="ALLOWED" operation="file_mmap" class="file" profile="pkexec//null-/usr/lib/gamemode/gpuclockctl" name="/usr/lib/gamemode/gpuclockctl"  comm="gpuclockctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
odomingao commented 1 month ago

The gio-launch-desktop profile prevents me from opening an image from inside bubblejailed Dino. Logs:

apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="gio-launch-desktop" name="/usr/bin/imv"  comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=954 ouid=0 target="unconfined"
apparmor="ALLOWED" operation="exec" class="file" info="no new privs" error=-1 profile="gio-launch-desktop" name="/usr/bin/imv"  comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=954 ouid=0 target="unconfined"
apparmor="ALLOWED" operation="open" class="file" profile="gio-launch-desktop" name="/usr/bin/imv"  comm="imv" requested_mask="r" denied_mask="r" fsuid=954 ouid=0
apparmor="ALLOWED" operation="exec" class="file" info="no new privs" error=-1 profile="gio-launch-desktop" name="/usr/bin/imv-wayland"  comm="imv" requested_mask="x" denied_mask="x" fsuid=954 ouid=0 target="imv"
apparmor="ALLOWED" operation="open" class="file" profile="gio-launch-desktop" name="/etc/imv_config"  comm="imv-wayland" requested_mask="r" denied_mask="r" fsuid=954 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="gio-launch-desktop" name="/usr/share/glvnd/egl_vendor.d/"  comm="imv-wayland" requested_mask="r" denied_mask="r" fsuid=954 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="gio-launch-desktop" name="/usr/share/glvnd/egl_vendor.d/50_mesa.json"  comm="imv-wayland" requested_mask="r" denied_mask="r" fsuid=954 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="gio-launch-desktop" name="/dev/dri/"  comm="imv-wayland" requested_mask="r" denied_mask="r" fsuid=954 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="gio-launch-desktop" name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/uevent"  comm="imv-wayland" requested_mask="r" denied_mask="r" fsuid=954 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="gio-launch-desktop" name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/vendor"  comm="imv-wayland" requested_mask="r" denied_mask="r" fsuid=954 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="gio-launch-desktop" name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/device"  comm="imv-wayland" requested_mask="r" denied_mask="r" fsuid=954 ouid=0
apparmor="ALLOWED" operation="unlink" class="file" profile="gio-launch-desktop" name="/run/user/954/imv-197.sock"  comm="imv-wayland" requested_mask="d" denied_mask="d" fsuid=954 ouid=954
roddhjav commented 1 month ago

Most of the issues should be fixed now.

You may need to set some personal home dir:

For torbrowser, this is the torbrowser_firefox profile, not a profile from this project, I can't do anything.

Regarding xwayland and steam game, can you try installing the steam profiles. They are in beta stage (and therefore not installed by default), however, I fell it should fix your issue. To enable them, you need to comment the following lines before building: https://github.com/roddhjav/apparmor.d/blob/bd1239b46a006d3cb227fc6fffcf95cf684e1ea2/dists/ignore/main.ignore#L18-L26

However, as you use it through gamescope, I don't think it will work out of the box.

The gio-launch-desktop profile prevents me from opening an image from inside bubblejailed Dino.

Can you tell me how it was sandboxed using bwrap exactly? I may not be able to fix this.

odomingao commented 1 month ago

Thank you!

Moving forward, I'll make sure to verify whether the profile belongs to the project before reporting the issue.

I attempted to launch Dino without the bubblejail sandbox. Upon opening an image, I get a different error related to the imv profile (no access to .local/share/dino), though I believe this is probably a feature. This confirms that the gio-launch-desk issue is due to the bubblejail sandbox.

Here's the output of bubblejail run --dry-run dino which prints out the bwrap options and d-bus session arguments:

Bwrap options:
--unshare-all --die-with-parent --as-pid-1 --new-session --proc /proc --dev /dev --clearenv --ro-bind /usr /usr --ro-bind /opt /opt --symlink usr/bin /sbin --symlink usr/lib /lib --symlink usr/lib /lib64 --symlink usr/bin /bin --ro-bind /etc /etc --dir /tmp --dir /var --perms 700 --dir /run/user/954 --bind /home/ego/.local/share/bubblejail/instances/dino/home /home/ego --setenv HOME /home/ego --symlink /home/ego /home/user --chdir /home/ego --setenv USER ego --setenv USERNAME ego --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/bin --setenv XDG_RUNTIME_DIR /run/user/954 --setenv LANG en_US.UTF-8 --setenv DBUS_SESSION_BUS_ADDRESS unix:path=/run/user/954/bus --bind /run/user/954/bubblejail/dino/dbus_session_proxy /run/user/954/bus --setenv XDG_SESSION_TYPE tty --setenv GDK_BACKEND wayland --setenv MOZ_DBUS_REMOTE 1 --setenv MOZ_ENABLE_WAYLAND 1 --setenv WAYLAND_DISPLAY wayland-0 --bind /run/user/1000/wayland-1 /run/user/954/wayland-0 --ro-bind /home/ego/.config/kdeglobals /home/ego/.config/kdeglobals --ro-bind /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf --share-net --bind /home/ego/.local/share/dino /home/ego/.local/share/dino --bind /home/ego/.config/gtk-4.0 /home/ego/.config/gtk-4.0 --bind /home/ego/.config/mimeapps.list /home/ego/.config/mimeapps.list --symlink /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/drm/card1 /sys/dev/char/226:1 --dev-bind /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0 /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0 --symlink /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/drm/renderD128 /sys/dev/char/226:128 --dev-bind /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0 /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0 --dev-bind /dev/dri /dev/dri --setenv GTK_THEME Breeze --seccomp 7 --bind /run/user/954/bubblejail/dino/dbus_system_proxy /var/run/dbus/system_bus_socket --bind /run/user/954/bubblejail/dino/dbus_system_proxy /run/dbus/system_bus_socket --info-fd 11
Helper options:
/usr/lib/bubblejail/bubblejail-helper --helper-socket 6 --
Run args:

D-Bus session args:
xdg-dbus-proxy unix:path=/run/user/954/bus /run/user/954/bubblejail/dino/dbus_session_proxy --fd=9 --own=im.dino.Dino --filter unix:path=/run/dbus/system_bus_socket /run/user/954/bubblejail/dino/dbus_system_proxy --filter

Not sure if helpful, but here's the same thing as above but for chromium:

Bwrap options:
--unshare-all --die-with-parent --as-pid-1 --new-session --proc /proc --dev /dev --clearenv --ro-bind /usr /usr --ro-bind /opt /opt --symlink usr/bin /sbin --symlink usr/lib /lib --symlink usr/lib /lib64 --symlink usr/bin /bin --ro-bind /etc /etc --dir /tmp --dir /var --perms 700 --dir /run/user/1000 --bind /home/user/.local/share/bubblejail/instances/chromium/home /home/user --setenv HOME /home/user --chdir /home/user --setenv USER user --setenv USERNAME user --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl --setenv XDG_RUNTIME_DIR /run/user/1000 --setenv LANG en_US.UTF-8 --setenv DBUS_SESSION_BUS_ADDRESS unix:path=/run/user/1000/bus --bind /run/user/1000/bubblejail/chromium/dbus_session_proxy /run/user/1000/bus --setenv XDG_SESSION_DESKTOP Hyprland --setenv XDG_CURRENT_DESKTOP Hyprland --setenv XDG_SESSION_TYPE wayland --setenv GDK_BACKEND wayland --setenv MOZ_DBUS_REMOTE 1 --setenv MOZ_ENABLE_WAYLAND 1 --setenv WAYLAND_DISPLAY wayland-0 --bind /run/user/1000/wayland-1 /run/user/1000/wayland-0 --ro-bind /home/user/.config/kdeglobals /home/user/.config/kdeglobals --ro-bind /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf --share-net --bind /run/user/1000/pulse/native /run/user/1000/pulse/native --bind /home/user/Downloads /home/user/Downloads --bind /home/user/.config/chromium /home/user/.config/chromium --bind /home/user/.config/chromium-flags.conf /home/user/.config/chromium-flags.conf --bind /home/user/.config/fontconfig /home/user/.config/fontconfig --symlink /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/drm/card1 /sys/dev/char/226:1 --dev-bind /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0 /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0 --symlink /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/drm/renderD128 /sys/dev/char/226:128 --dev-bind /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0 /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0 --dev-bind /dev/dri /dev/dri --ro-bind /run/user/1000/pipewire-0 /run/user/1000/pipewire-0 --seccomp 7 --bind /run/user/1000/bubblejail/chromium/dbus_system_proxy /var/run/dbus/system_bus_socket --bind /run/user/1000/bubblejail/chromium/dbus_system_proxy /run/dbus/system_bus_socket --info-fd 11
Helper options:
/usr/lib/bubblejail/bubblejail-helper --helper-socket 6 --
Run args:

D-Bus session args:
xdg-dbus-proxy unix:path=/tmp/dbus-1j91GhBg5c,guid=9e290d800a356421a136f916669191ae /run/user/1000/bubblejail/chromium/dbus_session_proxy --fd=9 --call=org.freedesktop.Notifications=*@/org/freedesktop/Notifications --filter unix:path=/run/dbus/system_bus_socket /run/user/1000/bubblejail/chromium/dbus_system_proxy --filter
odomingao commented 1 month ago

There are still issues with nemo. After rebooting, it refuses to launch. Putting it on complain, launching it once and then switching to enforce mode allows the program to run (hence why I thought it was fixed on my last comment, I tested on enforce after having it on complain). Also, there are issues with opening files from inside nemo (images, videos), and there are some protected folders that it cannot access, such as "~/.mozilla" (not sure if this is intended).

apparmor="DENIED" operation="file_inherit" class="file" info="Failed name lookup - disconnected path" error=-13 profile="nemo" name="dev/tty1"  comm="nemo" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
apparmor="DENIED" operation="file_inherit" class="file" profile="nemo" name="/dev/tty1"  comm="nemo" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="nemo" name="apparmor/.null"  comm="nemo" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
apparmor="DENIED" operation="ptrace" class="ptrace" profile="dbus-accessibility"  comm="dbus-daemon" requested_mask="read" denied_mask="read" peer="nemo"
apparmor="ALLOWED" operation="file_inherit" class="file" profile="nemo" name="/dev/tty1"  comm="nemo" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="chmod" class="file" profile="nemo" name="/var/cache/fontconfig/"  comm="nemo" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="exec" class="file" profile="nemo" name="/usr/lib/gio-launch-desktop"  comm="nemo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="nemo//null-/usr/lib/gio-launch-desktop"
apparmor="ALLOWED" operation="file_inherit" class="file" profile="nemo//null-/usr/lib/gio-launch-desktop" name="/dev/tty1"  comm="gio-launch-desk" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="file_mmap" class="file" profile="nemo//null-/usr/lib/gio-launch-desktop" name="/usr/lib/gio-launch-desktop"  comm="gio-launch-desk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="exec" class="file" profile="nemo//null-/usr/lib/gio-launch-desktop" name="/usr/bin/imv"  comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="nemo//null-/usr/lib/gio-launch-desktop//null-/usr/bin/imv"
apparmor="DENIED" operation="chmod" class="file" profile="nemo" name="/var/cache/fontconfig/"  comm="nemo" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
apparmor="DENIED" operation="exec" class="file" profile="nemo" name="/usr/lib/gio-launch-desktop"  comm="nemo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

edit - seems like the xdg-mime profile prevents pasting things that were copied with wl-copy. Placing the profile in complain solves the issue, but it doesn't generate further logs.

apparmor="DENIED" operation="exec" class="file" profile="xdg-mime" name="/usr/bin/vendor_perl/mimetype"  comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/usr/bin/vendor_perl/mimetype"  comm="xdg-mime" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/tmp/wl-copy-buffer-jaMviS/stdin"  comm="file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
apparmor="DENIED" operation="file_inherit" class="file" profile="xdg-mime" name="/dev/tty1"  comm="xdg-mime" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/tmp/wl-copy-buffer-T1bkyd/stdin"  comm="file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/tmp/wl-copy-buffer-KIAK2X/stdin"  comm="file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/tmp/wl-copy-buffer-BSpm3M/stdin"  comm="file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/tmp/wl-copy-buffer-12Fqb9/stdin"  comm="file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
apparmor="DENIED" operation="file_inherit" class="file" profile="xdg-mime" name="/dev/tty1"  comm="xdg-mime" requested_mask="ra" denied_mask="ra" fsuid=1000 ouid=1000
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/tmp/wl-copy-buffer-qJvP0G/stdin"  comm="file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
apparmor="ALLOWED" operation="file_mmap" class="file" profile="xdg-mime//null-/usr/bin/dbus-send" name="/usr/bin/dbus-send"  comm="dbus-send" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/tmp/wl-copy-buffer-MvNA3S/stdin"  comm="file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
apparmor="DENIED" operation="open" class="file" profile="xdg-mime" name="/tmp/wl-copy-buffer-V3zSP7/stdin"  comm="file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
roddhjav commented 1 month ago

Regarding bubblejail, it requires special support (similar to what we have for flatpak) otherwise you will always get this kind of issue. Sadly I currently don't have time to work on this.

I need to investigate about chromium. This very profile may not be needed anymore.

odomingao commented 6 days ago

Regarding gpg, would it be possible to add something like owner @{user_share_dirs}/torbrowser/gnupg_homedir/{,**} rwl, to the profile, so that it no longer breaks the Tor Browser?