Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Flatpak does not keep the settings

  1. #11
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: Flatpak does not keep the settings

    This is mine .deb on buntu:
    Code:
    apt policy qbittorrent
    qbittorrent:
      Installed: 4.6.5-1
      Candidate: 4.6.5-1
      Version table:
     *** 4.6.5-1 500
            500 http://archive.ubuntu.com/ubuntu oracular/universe amd64 Packages
            100 /var/lib/dpkg/status

    Now to install it
    Code:
     flatpak install qbittorrent
    Looking for matches…
    Remotes found with refs similar to ‘qbittorrent’:
    
       1) ‘flathub’ (system)
       2) ‘flathub-beta’ (system)
    
    Which do you want to use (0 to abort)? [0-2]:
    I took the stable 1)
    permissions on mine:
    Code:
    org.qbittorrent.qBittorrent permissions:
        ipc                        network     fallback-x11       wayland
        x11                        dri         file access [1]    dbus access [2]
        system dbus access [3]
    
        [1] host, xdg-config/kdeglobals:ro
        [2] com.canonical.AppMenu.Registrar, org.freedesktop.Notifications,
            org.freedesktop.PowerManagement, org.gnome.SessionManager,
            org.kde.KGlobalSettings, org.kde.StatusNotifierWatcher,
            org.kde.kconfig.notify
        [3] org.freedesktop.UPower, org.freedesktop.login1
    With what I wanted to see from yours mine is:
    Code:
    flatpak run org.qbittorrent.qBittorrent
    Gtk-Message: 14:53:22.752: Failed to load module "xapp-gtk3-module"
    _IceTransSocketINETConnect() no usable address for me-Legion-5-zfs:38069
    Qt: Session management error: Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed
    QFSFileEngine::open: No file name specified
    QFSFileEngine::open: No file name specified
    I set my settings now and will reopen qBittorrent, and I find the same behavior you see>>> Settings not Saved. Grrr! Even the .deb has changed back to default settings.

    I'm going to file a bug report on flatpak, but don't hold your breath Canonical will do anything to promote their snapd and snaps.
    Last edited by #&thj^%; July 13th, 2024 at 10:08 PM.

  2. #12
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: Flatpak does not keep the settings

    Bug Filed here: https://bugs.launchpad.net/ubuntu/+s...k/+bug/2073041

    Add yourself to it, helps when others are effected.

  3. #13
    Join Date
    Jul 2024
    Beans
    10

    Re: Flatpak does not keep the settings

    Thanks to colleagues on other forums, I managed to solve my problem. I don't understand much about the technicalities of the thing but it's working as expected now.

    in short, for a beginner like me, I installed:
    sudo apt install apparmor-utils

    them:
    sudo aa-disable /usr/bin/bwrap


    ​​​​​​​Source: https://bugs.launchpad.net/ubuntu/+s...r/+bug/2072811

  4. #14
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: Flatpak does not keep the settings

    Yeah I'm not going to be doing that anytime soon. But you are free to run it however you see fit.

    Ubuntu has changed the Ubuntu 24.04 kernel so that programs like bubblewrap are not allowed to create a new user namespace unless they are given an AppArmor profile that contains the userns permission. This is their choice, and if it's causing a problem for you, please report it to them. Changes in bubblewrap are not going to solve this.

    EDIT: My thoughts, What they are doing instead is adding a profile for each program that uses bubblewrap, including Flatpak, Steam, nautilus/GNOME Files (via libgnome-desktop), epiphany/GNOME Web (via WebKitGTK) and so on, as well as adding a profile for each program that does not use bubblewrap but does similar things a different way, such as Firefox and Chrome. If you are using some different program that invokes bwrap - for example mkosi - my understanding is that they would tell you to add a profile for that program instead of a profile for bwrap.

    I personally think their stated reasoning is flawed: they say that the reason is that giving bwrap a profile like this would allow for an arbitrary bypass of their restriction, but programs like the ones for which they are adding profiles are not designed to impose a security boundary that distrusts their caller either, so it's straightforward for an unprivileged user to bypass their restriction anyway. But I didn't design their security model, and what they choose to do in their distro is not my decision.

    EDIT2: I also run apparmor on Arch or Arch Based systems but I don't see settings not being saved....This is on Ubuntu where the settings are not preserved.
    Last edited by #&thj^%; July 14th, 2024 at 10:51 PM.

  5. #15
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: Flatpak does not keep the settings

    This is how it now reads:>>in "/etc/apparmor.d/bwrap-userns-restrict"
    Code:
    # This profile allows almost everything and only exists to allow
    # bwrap to work on a system with user namespace restrictions
    # being enforced.
    # bwrap is allowed access to user namespaces and capabilities
    # within the user namespace, but its children do not have
    # capabilities, blocking bwrap from being able to be used to
    # arbitrarily by-pass the user namespace restrictions.
    #
    # Note: the bwrap child is stacked against the bwrap profile due to
    # bwraps use of no-new-privs
    
    # disabled by default as it can break some use cases on a system that
    # doesn't have or has disable user namespace restrictions for unconfined
    # use aa-enforce to enable it
    
    abi <abi/4.0>,
    
    include <tunables/global>
    
    profile bwrap /usr/bin/bwrap flags=(attach_disconnected) {
      allow capability,
      # not allow all, to allow for pix stack
      # sadly we have to allow  m every where to allow children to work under
      # stacking.
      allow file rwlkm /{**,},
      allow network,
      allow unix,
      allow ptrace,
      allow signal,
      allow mqueue,
      allow io_uring,
      allow userns,
      allow mount,
      allow umount,
      allow pivot_root,
      allow dbus,
      allow px /** -> bwrap//&unpriv_bwrap,
    
      # the local include should not be used without understanding the userns
      # restriction.
      # Site-specific additions and overrides. See local/README for details.
      include if exists <local/bwrap-userns-restrict>
    }
    
    profile unpriv_bwrap flags=(attach_disconnected) {
      # not allow all, to allow for pix stack
      allow file rwlkm /{**,},
      allow network,
      allow unix,
      allow ptrace,
      allow signal,
      allow mqueue,
      allow io_uring,
      allow userns,
      allow mount,
      allow umount,
      allow pivot_root,
      allow dbus,
    
      allow pix /** -> &unpriv_bwrap,
    
      audit deny capability,
    
      # the local include should not be used without understanding the userns
      # restriction.
      # Site-specific additions and overrides. See local/README for details.
      include if exists <local/unpriv_bwrap>
    }
    They are now working on a fix to apparmor 14 Hrs Ago, I would advise to just wait for it to come in.
    Robie Basak (racb) wrote 14 hours ago: #19

    Due to the "really" version bump, Oracular will also require a bump before it is released, unless a 4.0.2 or similar upload happens in Oracular first. Setting tasks accordingly.
    Changed in apparmor (Ubuntu Noble):
    status: New → Triaged
    importance: Undecided → Critical
    Changed in apparmor (Ubuntu Oracular):
    importance: Critical → High

  6. #16
    Join Date
    Jul 2024
    Beans
    10

    Smile Re: Flatpak does not keep the settings

    Quote Originally Posted by 1fallen View Post
    Yeah I'm not going to be doing that anytime soon. But you are free to run it however you see fit.

    Ubuntu has changed the Ubuntu 24.04 kernel so that programs like bubblewrap are not allowed to create a new user namespace unless they are given an AppArmor profile that contains the userns permission. This is their choice, and if it's causing a problem for you, please report it to them. Changes in bubblewrap are not going to solve this.

    EDIT: My thoughts, What they are doing instead is adding a profile for each program that uses bubblewrap, including Flatpak, Steam, nautilus/GNOME Files (via libgnome-desktop), epiphany/GNOME Web (via WebKitGTK) and so on, as well as adding a profile for each program that does not use bubblewrap but does similar things a different way, such as Firefox and Chrome. If you are using some different program that invokes bwrap - for example mkosi - my understanding is that they would tell you to add a profile for that program instead of a profile for bwrap.

    I personally think their stated reasoning is flawed: they say that the reason is that giving bwrap a profile like this would allow for an arbitrary bypass of their restriction, but programs like the ones for which they are adding profiles are not designed to impose a security boundary that distrusts their caller either, so it's straightforward for an unprivileged user to bypass their restriction anyway. But I didn't design their security model, and what they choose to do in their distro is not my decision.

    EDIT2: I also run apparmor on Arch or Arch Based systems but I don't see settings not being saved....This is on Ubuntu where the settings are not preserved.

    Could you tell me the command to revert the change described? I tried "sudo aa-enable /usr/bin/bwrap" but it returned error

  7. #17
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: Flatpak does not keep the settings

    Quote Originally Posted by flokosx View Post
    Could you tell me the command to revert the change described? I tried "sudo aa-enable /usr/bin/bwrap" but it returned error
    Show me the error please:

    I would probably use something like:
    Code:
    sudo aa-enforce /usr/bin/bwrap
    Setting /usr/bin/bwrap to enforce mode.
    Warning: profile bwrap represents multiple programs
    Last edited by #&thj^%; July 21st, 2024 at 01:00 AM.

  8. #18
    Join Date
    Jul 2024
    Beans
    10

    Re: Flatpak does not keep the settings

    Quote Originally Posted by 1fallen View Post
    Show me the error please:

    I would probably use something like:
    Code:
    sudo aa-enforce /usr/bin/bwrap
    Setting /usr/bin/bwrap to enforce mode.
    Warning: profile bwrap represents multiple programs
    sudo aa-enforce /usr/bin/bwrap return a error:


    Traceback (most recent call last):

    File "/usr/sbin/aa-enforce", line 33, in <module>
    tool.cmd_enforce()
    File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce
    for (program, prof_filename, output_name) in self.get_next_for_modechange():
    File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange
    aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    TypeError: 'NoneType' object is not callable


    An unexpected error occurred!

    For details, see /tmp/apparmor-bugreport-j1uym2qs.txt
    Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues
    and attach this file.


  9. #19
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: Flatpak does not keep the settings

    You just learned a valuable lesson, on running commands off or from the net you know nothing about....It happens though, and your not alone.

    I never ran the disable " /usr/bin/bwrap" so might be the difference, plus I'm on 24.10 now.
    Code:
    apt policy apparmor
    apparmor:
      Installed: 4.0.1-0ubuntu1
      Candidate: 4.0.1-0ubuntu1
      Version table:
     *** 4.0.1-0ubuntu1 500
            500 http://archive.ubuntu.com/ubuntu oracular/main amd64 Packages
            100 /var/lib/dpkg/status
    Code:
    sudo aa-status|grep bwrap
       bwrap
       unpriv_bwrap
    They are still working on fix, and may land in 2 weeks.
    John Johansen
    @jjohansen · 2 days ago
    Owner

    yes, it will be re-uploaded asap, but that does mean it going to take more than 2 weeks, as it first has to land in 24.10 going through proposed for 7 days and then at least another 7 days in 24.04 proposed.
    Last edited by #&thj^%; July 21st, 2024 at 05:58 PM.

  10. #20
    Join Date
    Jul 2024
    Beans
    10

    Re: Flatpak does not keep the settings

    Quote Originally Posted by 1fallen View Post
    You just learned a valuable lesson, on running commands off or from the net you know nothing about....It happens though, and your not alone.

    I never ran the disable " /usr/bin/bwrap" so might be the difference, plus I'm on 24.10 now.

    You have to understand that I had no alternative but to execute the command that was advised. And look: the system is serving me perfectly. As I saw that there was an apparmor update, I became interested in learning how to reverse the procedure I had done. I understand that you are warning me about potential damage I could do to the system, but I would be much happier if you taught me how to undo what I did.

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •