Conflict between apparmor and guix on Ubuntu 24.04

Uninstalling `apparmor` and rebooting is the only thing i have found that makes it work.

Selectively disabling the specific rulset with:

# aa-disable unprivileged_userns

Gives a new error:

$ guix environment -C
guix environment: warning: no packages specified; creating an empty environment
guix environment: error: clone: 2114060305: Permission denied

Same for temporarily turning off apparmor entirely.

Looks like this is a case of https://bugs.launchpad.net/apparmor/+bug/2046844

What does work as a workaround is to create a specifc apparmor profile for guix, that is really unconfined and allows user namespaces:

Create a file /etc/apparmor.d/guix:

----------------------------------------------------
abi <abi/4.0>,
include <tunables/global>

profile guix /usr/bin/guix flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/guix>
}
----------------------------------------------------

Then do:

/etc/init.d/apparmor reload
aa-enforce guix

First time I tried this workaround the "aa-enforce guix" command threw an error about an unrelated file somewhere in /etc/init.d/apparmor (forgot to write down which, just remember that it used "runbindable").

I uninstalled and purged apparmor, just to try if the Guix build would work. It did.

I then reinstalled apparmor (and apparmor-utils), and rebooted, to check if I still got the original permission error. I did.

Then I applied your workaround again, except I set the path to /home/guix/.config/guix/current/bin/guix

This time I got a cryptic error:

$ sudo aa-enforce guix
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 33, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce
    for (program, prof_filename, output_name) in self.get_next_for_modechange():
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange
    aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: 'str' object is not callable

An unexpected error occurred!

Maybe it's a Python issue? My default Python via PyEnv is 3.11.7

I also tried the symlink destination /gnu/store/7xnx56qdzvzm3hkg01y4k4c5x5pk8qpv-guix-command

Using the Ubuntu 24.04 default Python version of 3.12.3 instead, did not help. I attached the longer error log.

Oddly enough despite the above error guix builds work fine.

For unrelated reason I rebuilt Guix from source as of commit 20dbf225f332ccc707578263ed710dcf2a8fb78e. I then ran into the issue, which I'd forgotten about.

The solution again was to:

$ which guix
/home/guix/.config/guix/current/bin/guix
$ ls -al /home/guix/.config/guix/current/bin/guix
lrwxrwxrwx 1 root root 56 jan 1 1970 /home/guix/.config/guix/current/bin/guix -> /gnu/store/bg1nwg5xdvfal6q22vmcgkmkmpkzv681-guix-command

And then update /etc/apparmor.d/guix to use that new /gnu/store path.

The "sudo aa-enforce guix" still gives me the cryptic "An unexpected error occurred", which can be safely(?) ignored. And everything works again...

Status changed to 'Confirmed' because the bug affects multiple users.

I'm on Ubuntu 24.10 and installed guix with their install.sh as recommended by the guix people.

When I'm trying to run `guix home -L "${PWD}" container home-config.scm I'm getting the following error:

```plaintext
guix home: error: mount: mount "none" on "/tmp/guix-directory.6EruDj": Permission denied
```
I stumbled upon this ticket and tried the proposed solutions, but they don't work.

```plaintext
$ which guix
/usr/local/bin/guix
```

/etc/apparmor.d/guix:

```plaintext
abi <abi/4.0>,
include <tunables/global>

profile guix /usr/bin/guix flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/guix>
}
```

`/etc/init.d/apparmor reload` runs without output.

However:

```plaintext
$ sudo aa-enforce guix
Profile for /gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/bin/guix not found, skipping
```

When I set that path in `/etc/apparmor.d/guix` though, I get this:

```plaintext
$ sudo aa-enforce guix
Setting /gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/bin/guix to enforce mode.
Warning: profile guix represents multiple programs
$ guix home -L "${PWD}" container home-config.scm
/gnu/store/5kj8lyybjrdl7xd0fx9g9vzkz8sklqsy-guix-1.4.0/libexec/guix/guile: error while loading shared libraries: libguile-3.0.so.1: cannot open shared object file: Permission denied
```
`

"Purging" AppArmor makes guix-build work for me. However, I was stunned when I realized that it blows away all your AppArmor involved apps, including Firefox, etc. After re-installing Firefox, the old error returns:

```plaintext
guix shell: error: mount: mount "none" on "/tmp/guix-directory.Tl3CjE": Permission denied
```

I also have guix as

```plaintext
tim@saba:~/Projects/bitcoin$ which guix
/usr/local/bin/guix
```

I changed the path in `/etc/apparmor.d/guix` and ran aa-enforce to no avail. Elsewhere, there are suggestions that you should use the link address

```plaintext
tim@saba:~/Projects/bitcoin$ ls -la /usr/local/bin/guix
lrwxrwxrwx 1 root root 54 Nov 27 06:30 /usr/local/bin/guix -> /var/guix/profiles/per-user/root/current-guix/bin/guix
```

but that also doesn't work. I also want to say if you completely remove the `/etc/apparmor.d/guix` file and re-run aa-enforce, it is the same error:

```plaintext
im@saba:~/Projects$ sudo aa-enforce guix
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 33, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce
    for (program, prof_filename, output_name) in self.get_next_for_modechange():
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange
    aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: 'NoneType' object is not callable

An unexpected error occurred!

For details, see /tmp/apparmor-bugreport-hasblz31.txt
Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues
and attach this file.
```

so maybe it is in the wrong place?

I'm using guix with guix-home. I have had the same issue, but only when trying to run guix with the '-C' option from within emacs' eshell.

I figured out, that the `guile` executable was still being restricted by apparmor.

I ended up with this config, placed in `/eytc/apparmor.d/guix` which solved the issue once and for all:

```plaintext
abi <abi/3.0>,

include <tunables/global>

profile guix /gnu/store/{*-guix-command,*/bin/guix,*/libexec/guix/guile,*/bin/guile} flags=(attach_disconnected) {
  # Allow all rules
  capability,
  network,
  mount,
  remount,
  umount,
  pivot_root,
  ptrace,
  signal,
  dbus,
  unix,
  file,
}
```

After reading a few other apparmor config files I've now revised my config to this:

```
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile guix /{usr/bin/guix,gnu/store/*-guix-command,gnu/store/*/bin/guix,gnu/store/*/libexec/guix/guile,gnu/store/*/bin/guile} flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/guix>
}
```

I'v aso seen that most files in /etc/apparmor.d/ belong to the `apparmor` package itself (which is slightly odd, I expected them to be part of the respective application packages).

I will therfore try to figure out how to file a request for the apparmor package to be ammended with a guix config.

Probably upstream with the Debian GNU/Linux project.

I've created a patch and submitted it to the apparmor package maintainers.

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111753