Add AppArmor profile for Connect #43595
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
|
Confirmed that it works on a real device with Ubuntu 24.04. Changes to install scripts don't cause problems when uninstalling and upgrading. |
There was a problem hiding this comment.
Unfortunately, upgrading the app on Ubuntu 22.04 prints a following error:
$ sudo dpkg -i teleport-connect_17.0.0-dev.ravicious.1_amd64.deb
(Reading database ... 207812 files and directories currently installed.)
Preparing to unpack teleport-connect_17.0.0-dev.ravicious.1_amd64.deb ...
Unpacking teleport-connect (17.0.0~dev.ravicious.1) over (15.4.5) ...
teleport-connect: Upgrade detected, skipping symlink operations
Setting up teleport-connect (17.0.0~dev.ravicious.1) ...
update-alternatives is /usr/bin/update-alternatives
teleport-connect: Skipping symlinking /usr/local/bin/tsh to /opt/Teleport Connect/resources/bin/tsh because /usr/local/bin/tsh already exists and it isn't a symlink.
AppArmor parser error for /etc/apparmor.d/teleport-connect in profile /etc/apparmor.d/teleport-connect at line 1: Could not open 'abi/4.0': No such file or directory
dpkg: error processing package teleport-connect (--install):
installed teleport-connect package post-installation script subprocess returned error exit status 1
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for gnome-menus (3.36.0-1ubuntu3) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu3) ...
Errors were encountered while processing:
teleport-connect
However, the new version has been installed.
| @@ -0,0 +1,9 @@ | |||
| abi <abi/4.0>, | |||
There was a problem hiding this comment.
There doesn't appear to be a way to write a backwards-compatible apparmor profile.
The answer to that Ask Ubuntu question links to an example from the Ubuntu Pro Client which uses a jinja template and modifies the profile based on which Ubuntu version is running. I don't think we can do that since our app isn't meant for Ubuntu only.
What we could do is first check if the given version of apparmor_parser can handle our profile (maybe with -preprocess or --skip-kernel-load --debug?) and only then copy it to apparmor.d and load it.
If apparmor_parser runs into an error when checking the profile, we don't copy the profile and emit a warning. This should let users on Ubuntu 22.04 use Connect. If there's another breaking change to AppArmor in the future, we'll notice that by the app not working due to a lack of profile.
How does that sound @gzdunek?
There was a problem hiding this comment.
Sounds good, I can retest. Are you going to run another build? If no, then I will set up a dev environment on Ubuntu :)
There was a problem hiding this comment.
I think testing this particular conditional branch in a VM should be enough. I already set up 20.04 myself.
eaa0823 to
9efcdac
Compare
|
@ravicious See the table below for backport results.
|
|
Does a release with this new version exist on the official website download page? |
|
@GuillaumeCisco Not yet unfortunately. 16.0.4 and 15.4.7 will have it. 16.0.3 and 15.4.6 do have an updated Electron version though. |
Fixes #43168.
There's been a breaking change in Ubuntu 24 which requires apps that construct their own sandboxes (such as Chromium) to provide a profile allowing the use of unprivileged user namespaces.
The profile I added is based on the profile for VSCode that ships with Ubuntu 24 in
/etc/apparmor.d/code. It looks like this:VSCode's profile
Tested in a VM on Ubuntu 24 and Fedora 37 (which doesn't use AppArmor). Tag build 17.0.0-dev.ravicious.1 is in progress, after which I'll test it on an actual device running Linux.
changelog: Fixed startup crash of Teleport Connect on Ubuntu 24.04 by adding an AppArmor profile