bwrap error again

[Blad3forc3]

Just started getting this error again when creating a wineprefix in gameimage

I :: [e] :: bwrap: Creating new namespace failed: Permission denied

[ruanformigoni]

Hi @Blad3forc3 , thanks for reporting this issue! Could you try the Ubuntu 24.04 hotfix on the known issues list?

[Blad3forc3]

the bwrap file already has those contents inside. It still fails creating a wineprefix

[ruanformigoni]

Are you using a distro base on ubuntu 24.04? You can check this with cat /etc/*-release. Try to check if the issue is apparmor, use sudo systemctl stop apparmor to see if that fixes it (it will go back to normal after a reboot).

[Blad3forc3]

DISTRIB_ID=Ubuntu DISTRIB_RELEASE=24.04 DISTRIB_CODENAME=noble DISTRIB_DESCRIPTION="Ubuntu 24.04 LTS" PRETTY_NAME="Ubuntu 24.04 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04 LTS (Noble Numbat)" VERSION_CODENAME=noble ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=noble LOGO=ubuntu-logo

Tried disabling apparmor

log files contents

Installing icon... I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Writing grayscale image to "/media/ade/Temp/Temp/build/Antz-Extreme-Racing/icon/icon.grayscale.png" I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ Wine prefix does not exist, creating... I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: application: Antz-Extreme-Racing I :: image: "/media/ade/Temp/Temp/build/wine.flatimage" I :: prefix: "/media/ade/Temp/Temp/build/Antz-Extreme-Racing/wine" I :: [e] :: bwrap: Creating new namespace failed: Permission denied I :: Finished Command: '/media/ade/Temp/Temp/build/wine.flatimage fim-exec wine.sh winetricks fontsmooth=rgb' Created wine prefix I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: key identifier: /tmp/selfgz4675/bin/gameimage-cli I :: Generated message_queue key: 1092681910 I :: Message queue id: 26 I :: Open file '"/media/ade/Temp/Temp/build/gameimage.json"' as READ I :: Open file '"/media/ade/Temp/Temp/build/Antz-Extreme-Racing/gameimage.json"' as READ I :: Usage: search [--help] [--version] [--remote] [--ipc] query I :: I :: Search for installed [rom,core,bios,keys] I :: I :: Positional arguments: I :: query
I :: I :: Optional arguments: I :: -h, --help shows help message and exits I :: -v, --version prints version information and exits I :: --remote Search for core on remote I :: --ipc Sends data with Ipc, with the current binary path use to form key I :: Directory '/media/ade/Temp/Temp/build/Antz-Extreme-Racing/wine/drive_c' does not exist

[Blad3forc3]

Any update on this Ruan? Right now I cant make flatimages or run exisiting ones

[ruanformigoni]

I'll be able to replicate the issue tomorrow. You could try to check if there is any conflict between profiles in your apparmor folder, search for bwrap in it with grep -rin "bwrap" /etc/apparmor.d/.

the bwrap file already has those contents inside

Is it exactly like the one in the README.md page?

Don't forget the sudo systemctl reload apparmor or a reboot, afterwards.

[Blad3forc3]

grep -rin "bwrap" /etc/apparmor.d/ /etc/apparmor.d/bwrap:7:profile bwrap //bwrap flags=(unconfined) { /etc/apparmor.d/bwrap-userns-restrict:2:# bwrap to work on a system with user namespace restrictions /etc/apparmor.d/bwrap-userns-restrict:4:# bwrap is allowed access to user namespaces and capabilities /etc/apparmor.d/bwrap-userns-restrict:6:# capabilities, blocking bwrap from being able to be used to /etc/apparmor.d/bwrap-userns-restrict:9:# Note: the bwrap child is stacked against the bwrap profile due to /etc/apparmor.d/bwrap-userns-restrict:10:# bwraps use of no-new-privs /etc/apparmor.d/bwrap-userns-restrict:20:profile bwrap /usr/bin/bwrap flags=(attach_disconnected) { /etc/apparmor.d/bwrap-userns-restrict:37: allow px / -> bwrap//&unpriv_bwrap, /etc/apparmor.d/bwrap-userns-restrict:42: include if exists <local/bwrap-userns-restrict> /etc/apparmor.d/bwrap-userns-restrict:45:profile unpriv_bwrap flags=(attach_disconnected) { /etc/apparmor.d/bwrap-userns-restrict:60: allow pix /** -> &unpriv_bwrap, /etc/apparmor.d/bwrap-userns-restrict:67: include if exists <local/unpriv_bwrap>

the only contents in the bwrap file are exactly as the readme file

[ruanformigoni]

Could you post the contents of /etc/apparmor.d/bwrap-userns-restrict?

[Blad3forc3]

# This profile allows almost everything and only exists to allow
# bwrap to work on a system with user namespace restrictions
# being enforced.
# bwrap is allowed access to user namespaces and capabilities
# within the user namespace, but its children do not have
# capabilities, blocking bwrap from being able to be used to
# arbitrarily by-pass the user namespace restrictions.
#
# Note: the bwrap child is stacked against the bwrap profile due to
# bwraps use of no-new-privs

# disabled by default as it can break some use cases on a system that
# doesn't have or has disable user namespace restrictions for unconfined
# use aa-enforce to enable it

abi <abi/4.0>,

include <tunables/global>

profile bwrap /usr/bin/bwrap flags=(attach_disconnected) {
  allow capability,
  # not allow all, to allow for pix stack
  # sadly we have to allow  m every where to allow children to work under
  # stacking.
  allow file rwlkm /{**,},
  allow network,
  allow unix,
  allow ptrace,
  allow signal,
  allow mqueue,
  allow io_uring,
  allow userns,
  allow mount,
  allow umount,
  allow pivot_root,
  allow dbus,
  allow px /** -> bwrap//&unpriv_bwrap,

  # the local include should not be used without understanding the userns
  # restriction.
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/bwrap-userns-restrict>
}

profile unpriv_bwrap flags=(attach_disconnected) {
  # not allow all, to allow for pix stack
  allow file rwlkm /{**,},
  allow network,
  allow unix,
  allow ptrace,
  allow signal,
  allow mqueue,
  allow io_uring,
  allow userns,
  allow mount,
  allow umount,
  allow pivot_root,
  allow dbus,

  allow pix /** -> &unpriv_bwrap,

  audit deny capability,

  # the local include should not be used without understanding the userns
  # restriction.
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/unpriv_bwrap>
}

[ruanformigoni]

Try to move this file somewhere else, sudo mv /etc/apparmor.d/bwrap-userns-restrict ~/bwrap-userns-restrict, reload apparmor sudo systemctl reload apparmor and please check if that fixes the issue.

[Blad3forc3]

moved the file and run sudo systemctl reload apparmor and still getting the bwrap error when creating the wineprefix

[Blad3forc3]

Distributor ID: Ubuntu Description: Ubuntu 24.04 LTS Release: 24.04 Codename: noble

[Blad3forc3]

I have found a workaround for the bwrap error

https://github.com/containers/bubblewrap/issues/632

I'll paste the comment here

If I could just leave one final note for anyone that wants to try the fix, the following commands seem to work:

sudo add-apt-repository ppa:apparmor-dev/apparmor-sru sudo apt update sudo apt install apparmor

After upgrading this apparmor i can now create a wineprefix in gameimage again

[ruanformigoni]

Thanks for the workaround @Blad3forc3, I included it in the README.md page.

[Blad3forc3]

Might have to reopen this problem. Ive not installed any updates but the problem has returned.

Very very odd is this

The only way i have found to get around this is to disable apparmor completely by adding apparmor=0 to the grub line GRUB_CMDLINE_LINUX_DEFAULT apparmor=0

sudo update-grub and reboot

[ruanformigoni]

Thanks for the update, let's wait for the bubblewrap (Ubuntu) status to change to "Fix Released" to see if that helps.