Add apparmor profile

[xmedeko]

• Electron-Builder Version: 25.1.8
• Node Version: 22
• Electron Version: 32.2.1
• Electron Type (current, beta, nightly): current
• Target: Linux

Ubuntu 24 installation requires AppArmor profile to be configured for the app, see

• Ubuntu 24 AppArmor user namespace creation restrictions cause many applications to crash
• [Bug]: All versions of Electron (chromium upstream bug) fail to open on Ubuntu 24.04+ due to kernel.apparmor_restrict_unprivileged_userns=1 by default electron/electron#41066

Solution is to detect OS with AppArmor and create a file in /etc/apparmor.d/<exe-name>:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile <exe-name> "/opt/<install-path>/<exe-name>" flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/<exe-name>
}

Note: remove this file when the app is uninstalled.

See also:

• Add AppArmor profile for Connect gravitational/teleport#43595 - including code for after-install.tpl checking AppArmor and installation.
• Electron appimage does not work on Ubuntu 24.04 gm-vm/openfortivpn-webview#37 - just advice for manual configuration.

[mmaietta]

I can definitely get this feature implemented. Quick Q. What is this doing?

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/reqview-beta>

Do we need this line for the base AppArmor profile supplied by electron-builder?

I'll also create a configuration param appArmorProfile: string that you can use for providing your own profile.

[xmedeko]

Sorry, I put some concrete names instead of placeholder <exe-name> in the first post, I've updated it. This part should be:

include if exists <local/<exe-name>>

So, if the executable is e.g. custom-app then this line would include file /etc/apparmor.d/local/custom-app if any. So as admin of machine can put own, local AppArmor rules for the app. (You can see this pattern in many profilesshiiped with Ubuntu 24 in /etc/apparmor.d/)

Also note parentheses around path "/opt//" - is used without parentheses then spaces (and maybe some other chars) has to be escaped.

Param appArmorProfile: string is very good idea.

[shadow-light]

This won't help distributing by AppImage though right? Any idea what the path forward for AppImage is?

[Fuseteam]

@shadow-light might be idea to voice that concern here: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

[mmaietta]

@shadow-light, unfortunately, due to the ephemeral nature of AppImage's being executable (and updateable) from any location presents difficulty in creating (and removal) of the apparmor-profile file. AFAIK, there are not any hooks for appimages being mounted that would allow the automatic creation of the profile file.

I'll only be able to support this on FPM-based targets

[mmaietta]

This was implemented for FPM-based distributions in electron-builder v26.0.0-alpha.6

Can you please give it a test and report back if it also resolves the issue for you? (particularly helpful for confirmation since we're in an alpha release version)

[xmedeko]

👍 Works well on Ubuntu 24 (installs AppArmor profile) and Ubuntu 22 (does not install AppArmor profile) too.

[Sytten]

AFAIK this is not fixed for AppImage right?

[Fuseteam]

@Sytten indeed, as mentioned here: #8635 (comment)