Flatpak apps do not work

[megatux]

What Happened?

I'm on the Demo session of the daily build ISOs. This happends in all daily images I tried since about 2 or 3 weeks.

$ flatpak run io.elementary.calculator
bwrap: Creating new namespace failed: Permission denied
error: Fallo al sincronizar con el proxy de dbus

The workaround I found is to chmod u+s /usr/bin/bwrap

Steps to Reproduce

Click on any flatpak app or flatpak run ... command.

Expected Behavior

apps should run

OS Version

8.x (Early Access)

Session Type

Classic Session (X11, This is the default)

Software Version

Latest release (I have run all updates)

Log Output

No response

Hardware Info

Acer laptop Nitro5 , intel integrated + nvidia gtx1650

[teamcons]

Huh. Didnt meet that one.
Have you tried on a release candidate ?

Does entering this in a console fix it (with or without sudo) ?

chmod u+s /usr/bin/bwrap

[megatux]

With sudo, of course.
A release candidate? hmm hard to be 100% sure, I have tried one or two RCs besides daily builds.
I could try with latest one (elementaryos-8.0-stable.20241025rc.iso was built vie, 25 oct 2024.).
BTW, is there a way to start demo session with Wayland compositor instead of X?

[megatux]

Just tried with 10-3 daily build and the issue is still present.

[teamcons]

I can reproduce the issue

[teamcons]

Another user in Discussions has the issue, this is the list of apps and whether they launch or not:

App Center - launches
Calendar - launches
Code - launches
Feedback - launches
Files - launches
GParted - launches
Install Elementary OS - launches
Mail - launches
Multitasking View - launches
Photos - launches
Shortcuts - launches
System Settings - launches
Tasks - launches
Terminal - launches

Calculator - does not
Camera - does not
Document Viewer - does not
Music - does not
Screenshot - does not
Videos - does not
Web - does not

Moving the list here so it is kinda centralized

[vjr]

Could this have anything to do with the AppArmor issue where it prevents some apps from running? Someone want to try to disable AppArmor temporarily and see if the apps start working?

[teamcons]

I found this which supposedly kinda fix the issue. Needs digging down. If upstream is fine with the issue, maybe something like this could be a solution

https://etbe.coker.com.au/2024/04/24/ubuntu-24-04-bubblewrap/

[vjr]

OK if it really is this AppArmor issue - then perhaps the ISO build should include specific profiles for each built-in app that is not opening? Instead of a broader loosening of permissions?

[teamcons]

We could. I dont know if that would be reliable, though, because bwrap could act up later/on later builds/for other people for those which seem to work. From memory, i borked the UEFI and needed to rely on Web in Demo Mode for the steps to unbork it, and it ran fine

Also the demo is not intended to be used for anything sensitive. It is what people will use to test eOS. If some apps randomly do not work, users could decide to drop the distro/not support. With 8 around the corner it feels like theres not much time to avoid this to happen.

Im not at home, cannot check now, but could you check whether you have The Issue reproducing like the list above ?

[vjr]

Im not at home, cannot check now, but could you check whether you have The Issue reproducing like the list above ?

Yep I can repro this.

[teamcons]

Where does the issue should go ? For the PR to add apparmor profiles ? https://github.com/elementary/os ?
I can look up how to do profiles and do one for all of the faulty ones but i dont know where i should commit them
nor why that happens

[danirabbit]

We probably should ship the profiles with each affected package. So in the deb-packaging branch of each repo. If you have working profiles and just don’t know where to put them feel free to dump them in the comments here and someone else can figure out how to install them. Thanks for looking into this!

[ryonakano]

Could this have anything to do with the AppArmor issue where it prevents some apps from running?

I believe this is surely related to AppArmor. The journal when trying to launch Web on the live image says:

[ryonakano]

Looks like the AppArmor profile for bwrap is included in the apparmor-profiles. Running the two following commands launches Web successully on OS 8 RC live image:

sudo apt install apparmor-profiles
sudo apparmor_parser -r /usr/share/apparmor/extra-profiles/bwrap-userns-restrict

[teamcons]

Why does this issue not appear on installed system ?

[vjr]

Why does this issue not appear on installed system ?

Not sure, just a guess that perhaps the seeds repo needs to include the package apparmor-profiles in the live file there?

But question still remains - maybe Ubuntu noble desktop image already has the package included but not for live packages?

[danirabbit]

Created a branch to pull apparmor-profiles into live seeds: elementary/seeds#136

and to add a new live hook to configure the bubblewrap profile: elementary/os#735

[danirabbit]

@vjr afaict it isn't installed on the actual system. According to https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor/profiles/extras/bwrap-userns-restrict this profile basically removes all restrictions from bubblewrap

tbh we might want to do this on the installed system as well if it fixes flatpak apps not opening in the guest session

[teamcons]

if it doesnt introduce security issues...

[danirabbit]

Flatpak apps in bubblewrap are already sandboxed so I'm actually not sure why they are additionally sandboxing bubblewrap itself with apparmor

[danirabbit]

Just waiting for this to publish and then we can trigger a build and make sure it was fixed https://code.launchpad.net/~elementary-os/+archive/ubuntu/daily/+packages?field.name_filter=meta&field.status_filter=published&field.series_filter=noble

[danirabbit]

Whelp, the hook errors. There's probably something I'm missing here but I don't know enough about how hooks work in the build system or about apparmor tbh

Reverted and drafted elementary/os#738

[eric0001]

I have fixed this issue as described here temporarily in the live X11 session by typing in the terminal the following command:
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
and permanently by creating a configuration file /etc/sysctl.d/20-apparmor-donotrestrict.conf with the content:
kernel.apparmor_restrict_unprivileged_userns = 0