- The content is a blog article that explains how to fix Flatpak apps not running on Ubuntu due to AppArmor, a security module that restricts the actions of processes.
- The content provides two solutions: disabling AppArmor for Flatpak apps, or adjusting AppArmor profiles for Flatpak apps according to their needs and permissions.
Flatpak is a popular way to install and run applications on Linux, especially those that are not available in the official repositories. Flatpak apps are sandboxed and bundled with their dependencies, which makes them portable and secure. However, sometimes Flatpak apps may not run properly on Ubuntu, and you may encounter errors like “bwrap: No permissions to creating new namespace” or “bwrap: Can’t make symlink at /var/run: File exists”. In this article, we will explain why these errors happen and how to fix them.
Why Flatpak Apps Don’t Run on Ubuntu
Table of Contents
The main reason why Flatpak apps don’t run on Ubuntu is that Ubuntu uses AppArmor, a security module that restricts the actions of processes based on their profiles. AppArmor is enabled by default on Ubuntu, and it applies to all processes, including Flatpak apps. However, AppArmor and Flatpak are not fully compatible, and sometimes AppArmor may block Flatpak apps from accessing certain resources or performing certain actions. This results in errors like the ones mentioned above.
One way to solve this problem is to disable AppArmor for Flatpak apps. This will allow them to run without any restrictions, but it will also reduce their security and isolation. Another way is to adjust the AppArmor profiles for Flatpak apps, so that they can access the resources they need without compromising security. This is a more elegant and recommended solution, but it requires some manual editing of configuration files.
How to Disable AppArmor for Flatpak Apps
If you want to disable AppArmor for Flatpak apps, you need to edit the /etc/apparmor.d/abstractions/flatpak file as root. You can use any text editor of your choice, but we will use nano for this example. To open the file with nano, run the following command in a terminal:
sudo nano /etc/apparmor.d/abstractions/flatpak
You will see something like this:
To disable AppArmor for Flatpak apps, you need to comment out all the lines in this file by adding a # symbol at the beginning of each line. The file should look like this after commenting out:
To save the changes and exit nano, press Ctrl+O followed by Enter, then press Ctrl+X. To apply the changes, you need to reload the AppArmor profiles with this command:
sudo apparmor_parser -r /etc/apparmor.d/*
Now you should be able to run Flatpak apps without any errors. However, keep in mind that this method will make your Flatpak apps less secure and isolated from the rest of the system.
How to Adjust AppArmor Profiles for Flatpak Apps
If you want to adjust AppArmor profiles for Flatpak apps, you need to edit the /etc/apparmor.d/abstractions/flatpak file as root, as explained in the previous section. However, instead of commenting out all the lines, you need to modify them according to the needs of each Flatpak app.
The lines in this file are rules that define what resources and actions are allowed or denied for Flatpak apps. Each rule has a syntax like this:
Where permission is one of the following:
- r: read
- w: write
- m: memory map as executable
- l: link
- k: lock
- ix: inherit execute
- Px: discrete profile execute
- Ux: unconfined execute
And path is the location of the resource, such as a file or a directory.
For example, the rule:
owner /run/user/[0-9]*/bus rw,
Means that Flatpak apps are allowed to read and write (rw) the bus file owned by any user (owner) under /run/user/[0-9]*/.
To adjust these rules, you need to know what resources and actions each Flatpak app requires, and add or remove permissions accordingly. You can find out what resources and actions a Flatpak app requires by running it with the –log-session-bus or –log-system-bus options, which will print out all the D-Bus messages exchanged by the app. For example:
flatpak run --log-session-bus org.gnome.gedit
This will run Gedit, a text editor, and show all the D-Bus messages it sends and receives on the session bus. You can also use tools like strace or lsof to monitor what files and directories a Flatpak app accesses.
Alternatively, you can use trial and error to adjust the rules until you find a working configuration. You can test if a rule works by reloading the AppArmor profiles and running the Flatpak app. If the app runs without errors, the rule is fine. If the app fails with an error, the rule is either too restrictive or too permissive, and you need to change it.
For example, one of the common errors that Flatpak apps encounter on Ubuntu is:
bwrap: Can't make symlink at /var/run: File exists
This means that the app is trying to create a symbolic link at /var/run, but it already exists. To fix this, you need to allow the app to overwrite the existing file by adding the l permission to the rule that matches /var/run. The rule should look like this:
This will allow Flatpak apps to read, write, and link (rwl) files under /var/run/ and /var/run/flatpak/.
Another common error is:
bwrap: No permissions to creating new namespace
This means that the app is trying to create a new namespace, which is a feature that isolates processes from each other. To fix this, you need to allow the app to use the unshare system call by adding this line to the file:
This will grant Flatpak apps the sys_admin capability, which is required for creating namespaces.
By adjusting the AppArmor rules for Flatpak apps, you can make them run on Ubuntu without disabling AppArmor completely. This way, you can enjoy the benefits of both Flatpak and AppArmor, and have a more secure and stable system.
Frequently Asked Questions
Here are some common questions and answers related to Flatpak apps and AppArmor on Ubuntu.
Question: How do I know if AppArmor is enabled on my system?
Answer: You can check if AppArmor is enabled by running this command in a terminal:
This will show you the status of AppArmor, including how many profiles are loaded, enforced, or in complain mode. If AppArmor is disabled, you will see a message like this:
apparmor module is not loaded.
Question: How do I enable or disable AppArmor on my system?
Answer: You can enable or disable AppArmor by editing the /etc/default/grub file as root. You can use any text editor of your choice, but we will use nano for this example. To open the file with nano, run the following command in a terminal:
sudo nano /etc/default/grub
You will see something like this:
To disable AppArmor, you need to add apparmor=0 to the GRUB_CMDLINE_LINUX_DEFAULT line. The line should look like this:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash apparmor=0"
To enable AppArmor, you need to remove apparmor=0 from the GRUB_CMDLINE_LINUX_DEFAULT line. The line should look like this:
To save the changes and exit nano, press Ctrl+O followed by Enter, then press Ctrl+X. To apply the changes, you need to update Grub with this command:
Then you need to reboot your system for the changes to take effect.
Question: How do I install or uninstall Flatpak apps on Ubuntu?
Answer: You can install or uninstall Flatpak apps on Ubuntu using either a graphical interface or a command-line interface. For the graphical interface, you can use either GNOME Software or KDE Discover, depending on your desktop environment. Both of these applications support Flatpak apps if you have installed the gnome-software-plugin-flatpak or plasma-discover-flatpak-backend packages respectively. You can browse, install, or uninstall Flatpak apps from these applications as you would with any other software.
For the command-line interface, you can use the flatpak command. To install a Flatpak app from Flathub, which is the most popular repository for Flatpak apps, you can use this syntax:
flatpak install flathub APP_ID
Where APP_ID is the identifier of the app you want to install, such as org.gnome.gedit for Gedit. You can find the APP_ID of any app on Flathub by visiting its page and looking at its URL.
To uninstall a Flatpak app, you can use this syntax:
flatpak uninstall APP_ID
Where APP_ID is the identifier of the app you want to uninstall.
You can also use flatpak search to find apps by name or keyword, and flatpak list to see what apps are installed on your system.
Flatpak is a great way to install and run applications on Linux, but it may not work well with AppArmor, which is a security feature of Ubuntu. In this article, we have explained how to fix the common errors that Flatpak apps encounter on Ubuntu, by either disabling or adjusting AppArmor profiles for them. We have also answered some frequently asked questions related to Flatpak and AppArmor on Ubuntu. We hope this article has been helpful and informative for you. If you have any comments, suggestions, or feedback, please let us know in the comment section below. Thank you for reading!
Disclamer: The author of this article is not affiliated with or endorsed by the original poster, Flatpak, AppArmor, Ubuntu, or any other entity mentioned in this article. The information and solutions provided in this article may not be accurate, complete, reliable, suitable, or available for your situation. The author of this article is not responsible for any loss, damage, injury, or inconvenience caused by or arising from the use of or reliance on the information and solutions provided in this article. The user of this article should always verify the information and solutions before applying them to their own situation. The user of this article should also be aware that Flatpak and AppArmor are constantly evolving and changing, and that the information and solutions provided in this article may not be up to date or compatible with future versions of these technologies. The user of this article should also consult the official documentation and support channels of Flatpak and AppArmor for the latest information and guidance. The user of this article should also follow the best practices and recommendations of Flatpak and AppArmor when using these technologies. The user of this article should also respect the license terms and conditions of Flatpak and AppArmor when using these technologies. The user of this article should also acknowledge and credit the original sources of the information and solutions provided in this article when using or sharing them with others. The author of this article reserves the right to modify, update, delete, or add any information or solution in this article at any time without prior notice. The author of this article also reserves the right to respond or not respond to any comment, suggestion, or feedback in the comment section below at their discretion.