Starting with Ubuntu 23.10 Canonical begin to restrict unprivileged
user namespaces.[1] After this change AppArmor completely block bwrap
if user namespace restrictions are enforced, breaking Umu, which stops
with the following error:
pressure-vessel-wrap[290705]: E: Child process exited with code 1:
bwrap: setting up uid map: Permission denied
The solution is to add the missing AppArmor profile for bwrap. Ubuntu
already has it on apparmor-profiles package but it has not been enabled
yet.[2] This commit adds the profile to Lutris package and add the rules
during the deb installation.[3] Since it's an experimental profile it
can cause some issues on some corner cases (bwrap with root privileges
for example will be blocked by AppArmor), but it's still much more better
than leave bwrap completely unconfined or Umu broken for all Ubuntu
users on 23.10+.
Note: The profile will break AppArmor with ABI version < 4, for this
reason this patch include a postinst script[4] that will remove bwrap
profile in case Lutris is installed on an old Ubuntu version or Debian
(ABI 3). The script also check if there are Ubuntu/Umu/Custom rules (if
the file name has the same nomenclature used by Ubuntu) installed and if
found ours will be removed.
Note for packaging: dh-apparmor now is a required build dependency.
Test:
1 Kubuntu 24.10 (Real HW) ABI 4: AppArmor OK (rules applied), Umu works
2 Ubuntu 23.04 (VM) ABI 3: AppArmor OK (rules removed), Umu works
3 Debian 12 (VM) ABI 3: AppArmor OK (rules removed), Umu works
[1] https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
[2] 77f03f143a
[3] https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
[4] https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#summary-of-ways-maintainer-scripts-are-called
Signed-off-by: Marco Zanin <mrczn.bb@gmail.com>
'fluidsynth' is not really required, and 'xdg-desktop-portal' appears to just be for flatpak support, so I think we do not need hard dependencieson these.
Resolves#5138
Resolves#4857.
It seems to me that Debian requires an extra package for PyCairo, but
RPM and PIP based installs do not. That's strange, but at least this
much seems to be needed.
Webkit2 4.0 uses libsoup 2 which is deprecated, and as such it is not
part of the GNOME 43 runtime. The only difference in 4.1 is the use of
soup3 instead of soup2.
While the focus is on Linux and it currently only runs on Linux, nothing prevents people from adding support for different Kernels.
Signed-off-by: Stephan Lachnit <stephanlachnit@protonmail.com>
