Hey John, thanks for the notes. While we're waiting for a nice complete solution, it would be great to have some public pointers for figuring out a workaround.
Here: https://askubuntu.com/a/1541329/282071 someone figured out that if they "resolve the executable symlink before creating the apparmor profile" they got things working. It would be great if you could comment on that as a workaround. They also said they installed the pipx binary with `--global` (which requires root) - they don't know if that's necessary for their approach to work. It would be great if you could comment on whether that's expected to be necessary too. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2092752 Title: Guidance for pipx binaries requiring user namespaces Status in apparmor package in Ubuntu: New Bug description: Basically - this question: https://askubuntu.com/questions/1536722/how-to-apply-apparmor-profile- to-pipx-binaries How can users installing tools via pipx configure AppArmor profiles for those tools, so they can be used to create user namespaces and act as root/with CAP_SYS_ADMIN etc within those namespaces? I raise this as a bug since, if I understand correctly, the new user namespace restrictions introduce a new (the only?) case where AppArmor profiles are required for the application to function. I guess this is just a question of providing examples & documentation so that non-AppArmor-experts can figure out the right magic to put in the profile. IIUC based on https://ubuntu.com/blog/ubuntu-23-10-restricted- unprivileged-user-namespaces, this affects 23.10+. I myself have only experience it with 24.04. The specific app I'm personally interested in is mkosi: https://github.com/systemd/mkosi but I believe this will affect a variety of different tools. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2092752/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
