Open Blad3forc3 opened 2 months ago
Hi @Blad3forc3 , thanks for reporting this issue! Could you try the Ubuntu 24.04 hotfix on the known issues list?
the bwrap file already has those contents inside. It still fails creating a wineprefix
Are you using a distro base on ubuntu 24.04? You can check this with cat /etc/*-release
. Try to check if the issue is apparmor, use sudo systemctl stop apparmor
to see if that fixes it (it will go back to normal after a reboot).
DISTRIB_ID=Ubuntu DISTRIB_RELEASE=24.04 DISTRIB_CODENAME=noble DISTRIB_DESCRIPTION="Ubuntu 24.04 LTS" PRETTY_NAME="Ubuntu 24.04 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04 LTS (Noble Numbat)" VERSION_CODENAME=noble ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=noble LOGO=ubuntu-logo
Tried disabling apparmor
log files contents
Installing icon...
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Writing grayscale image to "/media/ade/Temp/Temp/build/Antz-Extreme-Racing/icon/icon.grayscale.png"
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
Wine prefix does not exist, creating...
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: application: Antz-Extreme-Racing
I :: image: "/media/ade/Temp/Temp/build/wine.flatimage"
I :: prefix: "/media/ade/Temp/Temp/build/Antz-Extreme-Racing/wine"
I :: [e] :: bwrap: Creating new namespace failed: Permission denied
I :: Finished Command: '/media/ade/Temp/Temp/build/wine.flatimage fim-exec wine.sh winetricks fontsmooth=rgb'
Created wine prefix
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: key identifier: /tmp/selfgz4675/bin/gameimage-cli
I :: Generated message_queue key: 1092681910
I :: Message queue id: 26
I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ
I :: Open file '"/media/ade/Temp/Temp/build/Antz-Extreme-Racing/gameimage.json"' as READ
I :: Usage: search [--help] [--version] [--remote] [--ipc] query
I ::
I :: Search for installed [rom,core,bios,keys]
I ::
I :: Positional arguments:
I :: query
I ::
I :: Optional arguments:
I :: -h, --help shows help message and exits
I :: -v, --version prints version information and exits
I :: --remote Search for core on remote
I :: --ipc Sends data with Ipc, with the current binary path use to form key
I :: Directory '/media/ade/Temp/Temp/build/Antz-Extreme-Racing/wine/drive_c' does not exist
Any update on this Ruan? Right now I cant make flatimages or run exisiting ones
I'll be able to replicate the issue tomorrow. You could try to check if there is any conflict between profiles in your apparmor folder, search for bwrap in it with grep -rin "bwrap" /etc/apparmor.d/
.
the bwrap file already has those contents inside
Is it exactly like the one in the README.md page?
Don't forget the sudo systemctl reload apparmor
or a reboot, afterwards.
grep -rin "bwrap" /etc/apparmor.d/ /etc/apparmor.d/bwrap:7:profile bwrap //bwrap flags=(unconfined) { /etc/apparmor.d/bwrap-userns-restrict:2:# bwrap to work on a system with user namespace restrictions /etc/apparmor.d/bwrap-userns-restrict:4:# bwrap is allowed access to user namespaces and capabilities /etc/apparmor.d/bwrap-userns-restrict:6:# capabilities, blocking bwrap from being able to be used to /etc/apparmor.d/bwrap-userns-restrict:9:# Note: the bwrap child is stacked against the bwrap profile due to /etc/apparmor.d/bwrap-userns-restrict:10:# bwraps use of no-new-privs /etc/apparmor.d/bwrap-userns-restrict:20:profile bwrap /usr/bin/bwrap flags=(attach_disconnected) { /etc/apparmor.d/bwrap-userns-restrict:37: allow px / -> bwrap//&unpriv_bwrap, /etc/apparmor.d/bwrap-userns-restrict:42: include if exists <local/bwrap-userns-restrict> /etc/apparmor.d/bwrap-userns-restrict:45:profile unpriv_bwrap flags=(attach_disconnected) { /etc/apparmor.d/bwrap-userns-restrict:60: allow pix /** -> &unpriv_bwrap, /etc/apparmor.d/bwrap-userns-restrict:67: include if exists <local/unpriv_bwrap>
the only contents in the bwrap file are exactly as the readme file
Could you post the contents of /etc/apparmor.d/bwrap-userns-restrict
?
# This profile allows almost everything and only exists to allow
# bwrap to work on a system with user namespace restrictions
# being enforced.
# bwrap is allowed access to user namespaces and capabilities
# within the user namespace, but its children do not have
# capabilities, blocking bwrap from being able to be used to
# arbitrarily by-pass the user namespace restrictions.
#
# Note: the bwrap child is stacked against the bwrap profile due to
# bwraps use of no-new-privs
# disabled by default as it can break some use cases on a system that
# doesn't have or has disable user namespace restrictions for unconfined
# use aa-enforce to enable it
abi <abi/4.0>,
include <tunables/global>
profile bwrap /usr/bin/bwrap flags=(attach_disconnected) {
allow capability,
# not allow all, to allow for pix stack
# sadly we have to allow m every where to allow children to work under
# stacking.
allow file rwlkm /{**,},
allow network,
allow unix,
allow ptrace,
allow signal,
allow mqueue,
allow io_uring,
allow userns,
allow mount,
allow umount,
allow pivot_root,
allow dbus,
allow px /** -> bwrap//&unpriv_bwrap,
# the local include should not be used without understanding the userns
# restriction.
# Site-specific additions and overrides. See local/README for details.
include if exists <local/bwrap-userns-restrict>
}
profile unpriv_bwrap flags=(attach_disconnected) {
# not allow all, to allow for pix stack
allow file rwlkm /{**,},
allow network,
allow unix,
allow ptrace,
allow signal,
allow mqueue,
allow io_uring,
allow userns,
allow mount,
allow umount,
allow pivot_root,
allow dbus,
allow pix /** -> &unpriv_bwrap,
audit deny capability,
# the local include should not be used without understanding the userns
# restriction.
# Site-specific additions and overrides. See local/README for details.
include if exists <local/unpriv_bwrap>
}
Try to move this file somewhere else, sudo mv /etc/apparmor.d/bwrap-userns-restrict ~/bwrap-userns-restrict
, reload apparmor sudo systemctl reload apparmor
and please check if that fixes the issue.
moved the file and run sudo systemctl reload apparmor and still getting the bwrap error when creating the wineprefix
Distributor ID: Ubuntu Description: Ubuntu 24.04 LTS Release: 24.04 Codename: noble
I have found a workaround for the bwrap error
https://github.com/containers/bubblewrap/issues/632
I'll paste the comment here
If I could just leave one final note for anyone that wants to try the fix, the following commands seem to work:
sudo add-apt-repository ppa:apparmor-dev/apparmor-sru sudo apt update sudo apt install apparmor
After upgrading this apparmor i can now create a wineprefix in gameimage again
Thanks for the workaround @Blad3forc3, I included it in the README.md page.
Might have to reopen this problem. Ive not installed any updates but the problem has returned.
Very very odd is this
The only way i have found to get around this is to disable apparmor completely by adding apparmor=0 to the grub line GRUB_CMDLINE_LINUX_DEFAULT apparmor=0
sudo update-grub and reboot
Thanks for the update, let's wait for the bubblewrap (Ubuntu) status to change to "Fix Released" to see if that helps.
Just started getting this error again when creating a wineprefix in gameimage
I :: [e] :: bwrap: Creating new namespace failed: Permission denied