I'm still trying to understand the exact implications of this, since I make extensive use of LXC containers, using subuid/subgid mapping, so that users can create containers without needing access to UID 0.
Are we talking about blocking namespaces where UID 0 in the container is mapped to the real UID 0, or will it also impact containers where UID 0 in the container is mapped to some other UID. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: For Ubuntu 22.10, since the last kernel update, i canĀ“t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
