Matoking
bwrap: setting up uid map: Permission denied (pipx installation)
Before I continue, I want to clarify that I didn't use the Flatpak version, despite running perfectly, because its winecfg library cannot find my discord-rpc.dll.so file, which is why I needed protontricks in the first place. I already tried giving it so many permissions via Flatseal, including running sh into its sandbox, and it indeed can see the .dll.so and the environment in that sandbox is already set to WINEDLLPATH=/opt/discord-rpc/bin64:/opt/discord-rpc/bin32 but the winecfg still couldn't find any library named "discord-rpc", so I don't know what to do.
I installed protontricks as shown in the readme with pipx. It does show the game menu, but when I select a game, it just crashes immediately.
System: Kubuntu 24.04.2 LTS x86_64
protontricks (INFO): Found Steam directory at /home/iskandaralex2/.local/share/Steam
protontricks (INFO): Using default Steam Runtime at /home/iskandaralex2/.local/share/Steam/ubuntu12_32/steam-runtime
protontricks (INFO): WINETRICKS environment variable is not available. Searching from $PATH.
protontricks (INFO): Found 2 Steam library folders
protontricks (INFO): Multiple compatdata directories found for app 526870
protontricks (INFO): Multiple compatdata directories found for app 1222670
protontricks (INFO): Multiple compatdata directories found for app 1657630
protontricks (INFO): Currently logged-in Steam user: iskalex2
protontricks (INFO): Couldn't find custom shortcuts. Maybe none have been created yet?
protontricks (INFO): Using 'zenity' as GUI provider
protontricks (INFO): User has configured app Proton version (CompatToolMapping): proton_hotfix
protontricks (INFO): Found active compatibility tool: Proton Hotfix
protontricks (INFO): Active compatibility tool is a Proton installation
protontricks (INFO): Using 'bwrap = True' as default value
protontricks (INFO): Using separately installed Steam Runtime: Steam Linux Runtime 3.0 (sniper)
protontricks (INFO): Running Steam Runtime using bwrap containerization.
If any problems arise, please try running the command again using the `--no-bwrap` flag and make an issue report if the problem only occurs when bwrap is in use.
protontricks (INFO): Created Steam Runtime Wine binary directory at /home/iskandaralex2/.cache/protontricks/proton/Proton Hotfix/bin
protontricks (INFO): WINE environment variable is not available. Setting WINE environment variable to Proton bundled version.
protontricks (INFO): WINESERVER environment variable is not available. Setting WINESERVER environment variable to Proton bundled version
protontricks (INFO): Starting bwrap launcher process: /home/iskandaralex2/.cache/protontricks/proton/Proton Hotfix/bin/bwrap-launcher
protontricks - bwrap-launcher 10645: Following directories will be mounted inside container: /bin.usr-is-merged /boot /etc /home /IskyArchives /lib.usr-is-merged /lost+found /media /mnt /opt /root /sbin /sbin.usr-is-merged /snap /srv /tmp
protontricks - bwrap-launcher 10645: Using temporary directory: /tmp/protontricks-7bpon95w
pressure-vessel-wrap[10645]: E: Child process exited with code 1: bwrap: setting up uid map: Permission denied
protontricks (INFO): Terminating launcher process 10645
protontricks (INFO): Launcher process terminated
Traceback (most recent call last):
File "/home/iskandaralex2/.local/bin/protontricks", line 8, in <module>
sys.exit(cli())
^^^^^
File "/home/iskandaralex2/.local/share/pipx/venvs/protontricks/lib/python3.12/site-packages/protontricks/cli/main.py", line 32, in cli
main(args)
File "/home/iskandaralex2/.local/share/pipx/venvs/protontricks/lib/python3.12/site-packages/protontricks/cli/util.py", line 175, in wrapper
return cli_func(self, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/iskandaralex2/.local/share/pipx/venvs/protontricks/lib/python3.12/site-packages/protontricks/cli/main.py", line 337, in main
run_command(
File "/home/iskandaralex2/.local/share/pipx/venvs/protontricks/lib/python3.12/site-packages/protontricks/util.py", line 522, in run_command
raise RuntimeError(
RuntimeError: bwrap launcher crashed, returncode: 1
Looks to be a duplicate of #392.
Looks like Ubuntu is preventing the bwrap from working due to AppArmor. Can you check if these instructions fixes the issue?
https://github.com/Matoking/protontricks/issues/392#issuecomment-2654446850
I tried it, but the same error persists. I even stopped AppArmor, but to no avail.
OK, I was personally I able to fix the problem with the custom AppArmor profile in an Ubuntu VM, but it's possible some other security policy might be preventing Protontricks from working, as suggested by this line:
pressure-vessel-wrap[10645]: E: Child process exited with code 1: bwrap: setting up uid map: Permission denied
If the AppArmor fix didn't work, you could try running journalctl -f at the same time as Protontricks and see if the logs explain what's blocking Protontricks from working.
It seemed that AppArmor was still blocking it
5/3/25 10:54 PM kernel audit: type=1400 audit(1746284084.451:210): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8507 comm="srt-bwrap" requested="userns_create" target="unprivileged_userns"
5/3/25 10:54 PM kernel audit: type=1400 audit(1746284084.451:211): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=8508 comm="srt-bwrap" capability=8 capname="setpcap"
5/3/25 10:54 PM kernel audit: type=1400 audit(1746284084.451:212): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="unprivileged_userns" name="proc/8508/uid_map" pid=8508 comm="srt-bwrap" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
5/3/25 10:54 PM kernel audit: type=1400 audit(1746284084.453:213): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8509 comm="bwrap" requested="userns_create" target="unprivileged_userns"
5/3/25 10:54 PM kernel audit: type=1400 audit(1746284084.454:214): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="unprivileged_userns" name="proc/8510/uid_map" pid=8510 comm="bwrap" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
5/3/25 10:54 PM kernel audit: type=1400 audit(1746284084.455:215): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8511 comm="srt-bwrap" requested="userns_create" target="unprivileged_userns"
5/3/25 10:54 PM kernel audit: type=1400 audit(1746284084.455:216): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="unprivileged_userns" name="proc/8512/uid_map" pid=8512 comm="srt-bwrap" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
So whatever it is, it seemed that AppArmor is ignoring the profile. I'll try to see what's wrong but I figure it might be helpful to update on my findings
Update:
It seemed that AppArmor is instead blocking bwarp itself and after creating /etc/apparmor.d/bwrap containing this solved some problem
abi <abi/4.0>,
include <tunables/global>
profile bwrap /usr/bin/bwrap flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/bwrap>
}
I am now facing another AppArmor problem
pressure-vessel-wrap[11822]: W: Not sharing path --filesystem="/etc" with container because "/etc" is reserved by the container framework
pressure-vessel-wrap[11822]: W: Not sharing path --filesystem="/sbin" with container because "/sbin" is reserved by the container framework
pressure-vessel-wrap[11822]: W: Unable to share "/etc/apparmor.d" with container: Path "/etc" is reserved by the container framework
bwrap: Can't chdir to /etc/apparmor.d: No such file or directory
Traceback (most recent call last):
File "/home/iskandaralex2/.local/bin/protontricks", line 8, in <module>
sys.exit(cli())
^^^^^
File "/home/iskandaralex2/.local/share/pipx/venvs/protontricks/lib/python3.12/site-packages/protontricks/cli/main.py", line 32, in cli
main(args)
File "/home/iskandaralex2/.local/share/pipx/venvs/protontricks/lib/python3.12/site-packages/protontricks/cli/util.py", line 175, in wrapper
return cli_func(self, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/iskandaralex2/.local/share/pipx/venvs/protontricks/lib/python3.12/site-packages/protontricks/cli/main.py", line 337, in main
run_command(
File "/home/iskandaralex2/.local/share/pipx/venvs/protontricks/lib/python3.12/site-packages/protontricks/util.py", line 522, in run_command
raise RuntimeError(
RuntimeError: bwrap launcher crashed, returncode: 1
which logs shows
5/3/25 11:25 PM kernel audit: type=1400 audit(1746285948.576:1130): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=12065 comm="srt-bwrap" requested="userns_create" target="unprivileged_userns"
5/3/25 11:25 PM kernel audit: type=1400 audit(1746285948.576:1131): apparmor="DENIED" operation="open" class="file" info="Failed name lookup - disconnected path" error=-13 profile="unprivileged_userns" name="proc/12066/uid_map" pid=12066 comm="srt-bwrap" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Still trying, no luck yet. But, I am sure there is a solution since it is just AppArmor being stubborn
it easy to fix
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
, but then i stumbled at
winetricks GUI enabled, using kdialog 23.08.5
------------------------------------------------------
warning: Unknown file arch of /home/emoxam/.cache/protontricks/proton/Proton 9.0/bin/wineserver.
------------------------------------------------------
I also faced that issue when I ran it with --no-bwarp. Also, wouldn't letting unprivileged userns to have no restrictions be dangerous?
it easy to fix
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0, but then i stumbled at
winetricks GUI enabled, using kdialog 23.08.5 ------------------------------------------------------ warning: Unknown file arch of /home/emoxam/.cache/protontricks/proton/Proton 9.0/bin/wineserver. ------------------------------------------------------
That warning is benign and can be ignored. If Protontricks isn't working, there's likely a different issue causing it.
That warning is benign and can be ignored. If Protontricks isn't working, there's likely a different issue causing it.
We should guess?
it easy to fix
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0, but then i stumbled at
winetricks GUI enabled, using kdialog 23.08.5 ------------------------------------------------------ warning: Unknown file arch of /home/emoxam/.cache/protontricks/proton/Proton 9.0/bin/wineserver. ------------------------------------------------------
I'm having the same issue. I also get a GUI dialog that shows the same error.
