edubuntu-bugs team mailing list archive

Thread
Date

[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: John Johansen <2046844@xxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Apr 2024 23:17:08 -0000
Reply-to: Bug 2046844 <2046844@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

@arraybolt3: Answer to your question. bwrap requires capabilities within
the user namespace. unshare is a little more forgiving in that what it
requires depends on the options passed but most of the options also
require capabilities within the user namespace.

The potential solution I mention is comment #91 is to define a profile
for bwrap that allows it capabilities within the namespace but does not
allow its children capabilities within the namespace, so that bwrap and
unshare can not just launch an application to by-pass the restriction.
This seems to work well for unshare but there are cases where bwrap is
failing in unexpected ways (which is still being debugged).

At this late stage the plan is to try to get a fix for bwrap in but if
necessary to file an SRU if necessary for the bwrap fix. So yes this is
being worked on and even if the fix isn't present on day one we do plan
to get it fixed.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions