Unfortunately even the /**/bitbake/bin/bitbake mask doesn't always work
since bitbake's server can be triggered by other commands such as
devtool or recipetool. In those cases, the glob doesn't match and you
hit weird failures. It also has interesting problems with using
BB_SERVER_TIMEOUT=60 since
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
FWIW I don't think this proposed profile should be shipped upstream or
in Ubuntu for bitbake - it allows any file anywhere on the filesystem
under a path bitbake/bin/bitbake to use unprivileged user namespaces -
ie. if I was a malware author I would have my malware create a second
stage malware fil
@bkhuugeicp can you send a patch to bitbake-devel?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056555
Title:
Allow bitbake to create user namespace
Status in apparmo
Able to confirm that I can at least work around the issue for now.
In case anyone need a convenient enough copy pastable command, this is the
sequenced I was able to use.
```bash
# Workaround for ubuntu issue [Allow bitbake to create user
namespace](https://bugs.launchpad.net/ubuntu/+source/appa
@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.
Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The
@richard-purdie-1:
I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.
Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the use
Who would be shipping this trusted app? Bitbake can run at arbitrary
locations because it isn't something you install at a distro level, but
something the user fetches and runs.
I think we'll have to fallback to spawning inside unshare assuming a
future point release of apparmour allows unshare to
I think it would, yes. @ross, can you point RP to this ticket please?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056555
Title:
Allow bitbake to create user namespace
Trying to recreate our own execution environment inside this executable
will likely be a bit painful and awkward.
it isn't impossible but we'd likely have to add a new execution
environment to our list at the top level in the way we have fakeroot and
non-fakeroot environments today with new networ
If I understood right, this would be a wrapper script, shipped by
Ubuntu. Bitbake would detect its presence and run it with the name of
the executabable that would be run by the script and get restricted
network access. No?
--
You received this bug notification because you are a member of Ubuntu
12 matches
Mail list logo
