Public bug reported: Basically - this question: https://askubuntu.com/questions/1536722/how- to-apply-apparmor-profile-to-pipx-binaries
How can users installing tools via pipx configure AppArmor profiles for those tools, so they can be used to create user namespaces and act as root/with CAP_SYS_ADMIN etc within those namespaces? I raise this as a bug since, if I understand correctly, the new user namespace restrictions introduce a new (the only?) case where AppArmor profiles are required for the application to function. I guess this is just a question of providing examples & documentation so that non-AppArmor-experts can figure out the right magic to put in the profile. IIUC based on https://ubuntu.com/blog/ubuntu-23-10-restricted- unprivileged-user-namespaces, this affects 23.10+. I myself have only experience it with 24.04. The specific app I'm personally interested in is mkosi: https://github.com/systemd/mkosi but I believe this will affect a variety of different tools. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2092752 Title: Guidance for pipx binaries requiring user namespaces Status in apparmor package in Ubuntu: New Bug description: Basically - this question: https://askubuntu.com/questions/1536722/how-to-apply-apparmor-profile- to-pipx-binaries How can users installing tools via pipx configure AppArmor profiles for those tools, so they can be used to create user namespaces and act as root/with CAP_SYS_ADMIN etc within those namespaces? I raise this as a bug since, if I understand correctly, the new user namespace restrictions introduce a new (the only?) case where AppArmor profiles are required for the application to function. I guess this is just a question of providing examples & documentation so that non-AppArmor-experts can figure out the right magic to put in the profile. IIUC based on https://ubuntu.com/blog/ubuntu-23-10-restricted- unprivileged-user-namespaces, this affects 23.10+. I myself have only experience it with 24.04. The specific app I'm personally interested in is mkosi: https://github.com/systemd/mkosi but I believe this will affect a variety of different tools. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2092752/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp