From 6488e1fb79ce0bc9a19a3a013cf20d86dcebb74e Mon Sep 17 00:00:00 2001
From: Georgia Garcia <georgia.garcia@canonical.com>
Date: Wed, 17 Jul 2024 09:35:45 -0300
Subject: [PATCH] profiles: add mediate_deleted to bwrap

Some applications using the bwrap profile don't function properly due
to "Failed name lookup - deleted entry". The following denials trying
to start flatpak KeePassXC is an example showing that it happens for
both bwrap and unpriv_bwrap profiles:

Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000

Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/****/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"

Fixes: https://launchpad.net/bugs/2072811
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
---
 profiles/apparmor/profiles/extras/bwrap-userns-restrict | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/profiles/apparmor/profiles/extras/bwrap-userns-restrict b/profiles/apparmor/profiles/extras/bwrap-userns-restrict
index 5088430db..286131626 100644
--- a/profiles/apparmor/profiles/extras/bwrap-userns-restrict
+++ b/profiles/apparmor/profiles/extras/bwrap-userns-restrict
@@ -17,7 +17,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile bwrap /usr/bin/bwrap flags=(attach_disconnected) {
+profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
   allow capability,
   # not allow all, to allow for pix stack
   # sadly we have to allow  m every where to allow children to work under
@@ -42,7 +42,7 @@ profile bwrap /usr/bin/bwrap flags=(attach_disconnected) {
   include if exists <local/bwrap-userns-restrict>
 }
 
-profile unpriv_bwrap flags=(attach_disconnected) {
+profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) {
   # not allow all, to allow for pix stack
   allow file rwlkm /{**,},
   allow network,