I was wondering about the threats being mitigated by disabling unprivileged userns like this. After some searching, I was able to find this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
Now my question becomes: On a system where software like podman or flatpak are installed, wouldn't an unprivileged attacker be able to trivially leverage that software to work around your apparmor limitation? Would there be any security benefit in keeping `kernel.apparmor_restrict_unprivileged_userns` set to 0 with the presence of such software on the system? For context, I'm trying to evaluate my options since we make extensive use of bwrap in our systems. Currently, all my attempts to fix bwrap ended with `bwrap: setting up uid map: Permission denied` which was finally explained when I discovered this bug. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to devhelp in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
