Public bug reported:

Basically - this question: https://askubuntu.com/questions/1536722/how-
to-apply-apparmor-profile-to-pipx-binaries

How can users installing tools via pipx configure AppArmor profiles for
those tools, so they can be used to create user namespaces and act as
root/with CAP_SYS_ADMIN etc within those namespaces? I raise this as a
bug since, if I understand correctly, the new user namespace
restrictions introduce a new (the only?) case where AppArmor profiles
are required for the application to function.

I guess this is just a question of providing examples & documentation so
that non-AppArmor-experts can figure out the right magic to put in the
profile.

IIUC based on https://ubuntu.com/blog/ubuntu-23-10-restricted-
unprivileged-user-namespaces, this affects 23.10+. I myself have only
experience it with 24.04. The specific app I'm personally interested in
is mkosi: https://github.com/systemd/mkosi but I believe this will
affect a variety of different tools.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2092752

Title:
  Guidance for pipx binaries requiring user namespaces

Status in apparmor package in Ubuntu:
  New

Bug description:
  Basically - this question:
  https://askubuntu.com/questions/1536722/how-to-apply-apparmor-profile-
  to-pipx-binaries

  How can users installing tools via pipx configure AppArmor profiles
  for those tools, so they can be used to create user namespaces and act
  as root/with CAP_SYS_ADMIN etc within those namespaces? I raise this
  as a bug since, if I understand correctly, the new user namespace
  restrictions introduce a new (the only?) case where AppArmor profiles
  are required for the application to function.

  I guess this is just a question of providing examples & documentation
  so that non-AppArmor-experts can figure out the right magic to put in
  the profile.

  IIUC based on https://ubuntu.com/blog/ubuntu-23-10-restricted-
  unprivileged-user-namespaces, this affects 23.10+. I myself have only
  experience it with 24.04. The specific app I'm personally interested
  in is mkosi: https://github.com/systemd/mkosi but I believe this will
  affect a variety of different tools.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2092752/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to