FWIW I don't think this proposed profile should be shipped upstream or in Ubuntu for bitbake - it allows any file anywhere on the filesystem under a path bitbake/bin/bitbake to use unprivileged user namespaces - ie. if I was a malware author I would have my malware create a second stage malware file called $HOME/bitbake/bin/bitbake it it would then be granted the use of userns by this profile (and hence could take advantage of userns as part of further exploitation). The specified attachment path regex is too broad.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace Status in apparmor package in Ubuntu: Confirmed Bug description: Occurs since an update around March 2 Ubuntu 24.04. Bitbake is broken due to file permission problem. Traceback (most recent call last): File "/home/hains/openpli-oe-core/bitbake/bin/bitbake-worker", line 268, in child bb.utils.disable_network(uid, gid) File "/home/hains/openpli-oe-core/bitbake/lib/bb/utils.py", line 1653, in disable_network with open("/proc/self/uid_map", "w") as f: PermissionError: [Errno 1] Operation not permitted Test code with open("/proc/self/uid_map", "w") as f: f.write("%s %s 1" % (1000, 1000)) ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: dash 0.5.12-6ubuntu4 ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4 Uname: Linux 6.8.0-11-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Mar 8 14:34:08 2024 InstallationDate: Installed on 2023-03-24 (350 days ago) InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020) SourcePackage: dash UpgradeStatus: Upgraded to noble on 2024-01-10 (58 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
