Starting with Ubuntu 23.10 Canonical begin to restrict unprivileged
user namespaces.[1] After this change AppArmor completely block bwrap
if user namespace restrictions are enforced, breaking Umu, which stops
with the following error:
pressure-vessel-wrap[290705]: E: Child process exited with code 1:
bwrap: setting up uid map: Permission denied
The solution is to add the missing AppArmor profile for bwrap. Ubuntu
already has it on apparmor-profiles package but it has not been enabled
yet.[2] This commit adds the profile to Lutris package and add the rules
during the deb installation.[3] Since it's an experimental profile it
can cause some issues on some corner cases (bwrap with root privileges
for example will be blocked by AppArmor), but it's still much more better
than leave bwrap completely unconfined or Umu broken for all Ubuntu
users on 23.10+.
Note: The profile will break AppArmor with ABI version < 4, for this
reason this patch include a postinst script[4] that will remove bwrap
profile in case Lutris is installed on an old Ubuntu version or Debian
(ABI 3). The script also check if there are Ubuntu/Umu/Custom rules (if
the file name has the same nomenclature used by Ubuntu) installed and if
found ours will be removed.
Note for packaging: dh-apparmor now is a required build dependency.
Test:
1 Kubuntu 24.10 (Real HW) ABI 4: AppArmor OK (rules applied), Umu works
2 Ubuntu 23.04 (VM) ABI 3: AppArmor OK (rules removed), Umu works
3 Debian 12 (VM) ABI 3: AppArmor OK (rules removed), Umu works
[1] https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
[2] 77f03f143a
[3] https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
[4] https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#summary-of-ways-maintainer-scripts-are-called
Signed-off-by: Marco Zanin <mrczn.bb@gmail.com>
This fixes the package-section-games-but-has-usr-bin error which was
shown when running debuild.
With this change, there will no longer be any binaries in the /usr/bin
directory in the deb package.
