Not a regression, or at least an intended regression (ie. it is doing exactly what is intended). This is exactly what has been talked about for 6+ months. unprivileged user_namespaces are going away, but instead of the big system level sysctl we can allow them on a per application basis.
The only question is whether we default this off for 22.10 With the current kernel there are two options for dealing with this 1. for applications that don't have CAP_SYS_ADMIN confine the application if it needs to use user namespaces 2. set the sysctl apparmor_restrict_unprivileged_userns to 0 Its possible we could set this option in the kernel to default N. But it HAS to change soon. unprivileged usernamespaces have been used as part of the exploit chain in multiple attacks over the last several years. Debian defaults them off with the sysctl, and this gives them a potential option to move forward. I will re-iterate, unprivieged user_namespaces are going away, this is a requirement. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Incomplete Bug description: For Ubuntu 22.10, since the last kernel update, i canĀ“t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
