Zorin 18 CIS level 1 hardened : flatpak issues

cpot · October 24, 2025, 8:40pm

We have trying to build a CIS Level 1 hardened Zorin Desktop, in addition to an encrypted multi-partition drive.

After running the ./ubuntu2204-script-cis_level1_workstation.sh remediation scripts the flatpak applications are not working anymore (but snap ones continue to work).

The error :

2025-10-24T22:21:29.369204+02:00 XXXX-LPT-CHG-07 systemd[2950]: Started app-flatpak-org.mozilla.firefox-16090.scope.
2025-10-24T22:21:29.513711+02:00 XXXX-LPT-CHG-07 org.mozilla.firefox.desktop[16099]: bwrap: setting up uid map: Permission denied
2025-10-24T22:21:29.514350+02:00 XXXX-LPT-CHG-07 org.mozilla.firefox.desktop[16090]: error: Failed to sync with dbus proxy

This error is reported on several website in other releases Ubuntu 22, 23 and 24.

However the fix for example here https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces does not work on Zorin

swarfendor437 · October 24, 2025, 11:23pm

This is above my paygrade, but remember Canonical's stance is they only want users to use snap and not flatpak. Don't know if this forum page enlightens anything:

Also, remember 23.10 was an 'intermediate' release (9-month life-cycle) and would be used to see if any updates resolve bugs/improvements to the then current LTS, 22.04 (=Zorin 17).

Aravisian · October 25, 2025, 12:15am

Have you created any apparmor profiles for the affected packages?

cpot · October 25, 2025, 10:43am

There were Apparmor flatpak issues on 22, 23, 24 and 25 (a different one for 25)

Well yes, snap have no problem, but Zorin is more "flatpak" centric so it will be great that it is working too.

cpot · October 25, 2025, 11:00am

Yes i tried the bwrap apparmor profile (see below) and the "sudo sysctl -w kernel.unprivileged_userns_clone=1" at the OS level, nothing worked.

abi <abi/4.0>,
include <tunables/global>

profile bwrap /usr/bin/bwrap flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/bwrap>
}

There was an apparmor issue with 24.04 here `bwrap` broke on Ubuntu 24.04 · Issue #632 · containers/bubblewrap · GitHub but to my understanding Zorin 18 is 22.04 based

The only thing is did not do (yet):

Verify UID/GID Mappings

Flatpak and bwrap require an unprivileged user to have a range of user IDs (UIDs) and group IDs (GIDs) mapped to them for the sandboxing to work.

Best,

Forpli · October 25, 2025, 11:02am

Zorin 18 is based on ubuntu 24.04.

cpot · October 25, 2025, 1:27pm

in fact the flatpak issue seems to be already handled by /etc/apparmor.d/bwrap-userns-restrict-patched

# This profile allows almost everything and only exists to allow bwrap
# to work on a system with user namespace restrictions being enforced.
# bwrap is allowed access to user namespaces and capabilities within
# the user namespace, but its children do not have capabilities,
# blocking bwrap from being able to be used to arbitrarily by-pass the
# user namespace restrictions.

# Note: the bwrap child is stacked against the bwrap profile due to
# bwraps use of no-new-privs.

abi <abi/4.0>,

include <tunables/global>

profile bwrap /usr/bin/bwrap flags=(attach_disconnected, complain, mediate_deleted) {
  allow capability,
  # not allow all, to allow for pix stack on systems that don't support
  # rule priority.
  #
  # sadly we have to allow 'm' every where to allow children to work under
  # profile stacking atm.
  allow file rwlkm /{**,},
  allow network,
  allow unix,
  allow ptrace,
  allow signal,
  allow mqueue,
  allow io_uring,
  allow userns,
  allow mount,
  allow umount,
  allow pivot_root,
  allow dbus,

  # stacked like this due to no-new-privs restriction
  # this will stack a target profile against bwrap and unpriv_bwrap
  # Ideally
  # - there would be a transition at userns creation first. This would allow
  #   for the bwrap profile to be tighter, and looser within the user
  #   ns. bwrap will still have to fairly loose until a transition at
  #   namespacing in general (not just user ns) is available.
  # - there would be an independent second target as fallback
  #   This would allow for select target profiles to be used, and not
  #   necessarily stack the unpriv_bwrap in cases where this is desired
  #
  # the ix works here because stack will apply to ix fallback
  # Ideally we would sanitize the environment across a privilege boundry
  # (leaving bwarp into application) but flatpak etc use environment glibc
  # sanitized environment variables as part of the sandbox setup.
  allow pix /** -> &bwrap//&unpriv_bwrap,

  # the local include should not be used without understanding the userns
  # restriction.
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/bwrap-userns-restrict>
}

# The unpriv_bwrap profile is used to strip capabilities within the userns
profile unpriv_bwrap flags=(attach_disconnected, complain, mediate_deleted) {
  # not allow all, to allow for pix stack
  allow file rwlkm /{**,},
  allow network,
  allow unix,
  allow ptrace,
  allow signal,
  allow mqueue,
  allow io_uring,
  allow userns,
  allow mount,
  allow umount,
  allow pivot_root,
  allow dbus,

  # bwrap profile does stacking against itself this will keep the target
  # profile from having elevated privileges in the container.
  # If done recursively the stack will remove any duplicate
  allow pix /** -> &unpriv_bwrap,

  audit deny capability,

  # the local include should not be used without understanding the userns
  # restriction.
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/unpriv_bwrap>
}