Hello, I recently started experimenting with AppArmor and have successfully created profiles for several applications. However, I encountered an issue while profiling Steam. Specifically, Steam fails to launch when AppArmor is enabled. Below is the error output from Steam: ``` steam.sh[204656]: Running Steam on arch rolling 64-bit steam.sh[204656]: STEAM_RUNTIME is enabled automatically setup.sh[204732]: Steam runtime environment up-to-date! steam-runtime-check-requirements[206680]: W: Child process exited with code 1: bwrap: setting up uid map: Permission denied
steam.sh[204656]: Error: Steam now requires user namespaces to be enabled. This requirement is the same as for Flatpak, which has more detailed information available: https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ``` >From the URL provided in the output, I quickly figured out It is an issue >related to bubblewrap. Below is the output of bwrap when it's profile is set to complain mode: ``` >> bwrap --bind / / --ro-bind /usr /usr --dev /dev --proc /proc --dir /tmp --unshare-user --unshare-net --unshare-pid /bin/bash --expose-pids bwrap: setting up uid map: Permission denied ``` Here is the AppArmor profile I have configured for bwrap: ``` abi <abi/4.0>, include <tunables/global> profile bwrap /usr/bin/bwrap flags=(complain) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/bwrap> } ``` I also verified that `/proc/sys/kernel/unprivileged_userns_clone` is set to `1`. ``` >> cat /proc/sys/kernel/unprivileged_userns_clone 1 ``` >From `/sys/kernel/security/apparmor/profiles` I can see that `bwrap` is set to >complain mode, so It should not be restricted in any way. I suspect this may be an issue with my configuration rather than a bug in AppArmor itself. If anyone has insights or suggestions for resolving this, I would greatly appreciate your help. Thank you in advance!
