You are not logged in.
Hello,
I recently started experimenting with AppArmor and have successfully created profiles for several applications. However, I encountered an issue while profiling Steam. Specifically, Steam fails to launch when AppArmor is enabled. Below is the error output from Steam:
```
steam.sh[204656]: Running Steam on arch rolling 64-bit
steam.sh[204656]: STEAM_RUNTIME is enabled automatically
setup.sh[204732]: Steam runtime environment up-to-date!
steam-runtime-check-requirements[206680]: W: Child process exited with code 1: bwrap: setting up uid map: Permission denied
steam.sh[204656]: Error: Steam now requires user namespaces to be enabled.
This requirement is the same as for Flatpak, which has more detailed
information available:
https://github.com/flatpak/flatpak/wiki … quirements
```
From the URL provided in the output, I quickly figured out It is an issue related to bubblewrap.
Below is the output of bwrap when it's profile is set to complain mode:
```
>> bwrap --bind / / --ro-bind /usr /usr --dev /dev --proc /proc --dir /tmp --unshare-user
--unshare-net --unshare-pid /bin/bash --expose-pids
bwrap: setting up uid map: Permission denied
```
Here is the AppArmor profile I have configured for bwrap:
```
abi <abi/4.0>,
include <tunables/global>
profile bwrap /usr/bin/bwrap flags=(complain) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/bwrap>
}
```
I also verified that `/proc/sys/kernel/unprivileged_userns_clone` is set to `1`.
```
>> cat /proc/sys/kernel/unprivileged_userns_clone
1
```
From `/sys/kernel/security/apparmor/profiles` I can see that `bwrap` is set to complain mode, so It should not be restricted in any way.
I suspect this may be an issue with my configuration rather than a bug in AppArmor itself. If anyone has insights or suggestions for resolving this, I would greatly appreciate your help.
Thank you in advance!
Offline