Ubuntu added a patch last year to allow user namespaces only for processes confined by apparmor and allegedly the kernel patch for this feature made it into the upstream kernel as well, but there seems to be no documentation available about it. Additionaly, apparmor now includes default profiles with the userns permission making use of this feature, but there is no documentation about the requirements of this feature.
How can this feature actually be used on other linux distributions and vanilla linux kernels? It seems like kernel.apparmor_restrict_unprivileged_userns is not available outside of ubuntu and most similar flags appear undocumented as well. Is support for restricted userns actually available outside of ubuntu?
signature.asc
Description: PGP signature
