Bug 515449 - Discover needs an apparmor rule to update flatpaks with apply_extra scripts
Summary: Discover needs an apparmor rule to update flatpaks with apply_extra scripts
Status: RESOLVED DOWNSTREAM
Alias: None
Product: Discover
Classification: Applications
Component: Flatpak Backend (other bugs)
Version First Reported In: master
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Plasma Bugs List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-02-03 09:10 UTC by David Redondo
Modified: 2026-02-03 12:42 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description David Redondo 2026-02-03 09:10:49 UTC 
SUMMARY


STEPS TO REPRODUCE
1.  Try to update a flatpak which has apply_extra such as chrome on Neon (I guess ubuntu as well)

OBSERVED RESULT
An error pops up without further information, if there are N pending updates there will be N errors

the actual error is 
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted

EXPECTED RESULT
Update should work like when typing flatpak update


ADDITIONAL INFORMATION
I am not sure if software is expected to ship apparmor rules or the distro.

flatpak rule is shipped with apparmor itself

cat /etc/apparmor.d/flatpak
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile flatpak /usr/bin/flatpak flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/flatpak>
}
Comment 1 Harald Sitter 2026-02-03 12:42:51 UTC 
We don't ship apparmor profiles. That's apparmor itself, or ubuntu possibly.

https://gitlab.com/apparmor/apparmor/-/tree/master/profiles/apparmor.d