Public bug reported: Basically - this question: https://askubuntu.com/questions/1536722/how- to-apply-apparmor-profile-to-pipx-binaries
How can users installing tools via pipx configure AppArmor profiles for those tools, so they can be used to create user namespaces and act as root/with CAP_SYS_ADMIN etc within those namespaces? I raise this as a bug since, if I understand correctly, the new user namespace restrictions introduce a new (the only?) case where AppArmor profiles are required for the application to function. I guess this is just a question of providing examples & documentation so that non-AppArmor-experts can figure out the right magic to put in the profile. IIUC based on https://ubuntu.com/blog/ubuntu-23-10-restricted- unprivileged-user-namespaces, this affects 23.10+. I myself have only experience it with 24.04. The specific app I'm personally interested in is mkosi: https://github.com/systemd/mkosi but I believe this will affect a variety of different tools. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2092752 Title: Guidance for pipx binaries requiring user namespaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2092752/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
