← Back to team overview

edubuntu-bugs team mailing list archive

[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

 

I was wondering about the threats being mitigated by disabling
unprivileged userns like this. After some searching, I was able to find
this rationale: https://discourse.ubuntu.com/t/spec-unprivileged-user-
namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626

Now my question becomes: On a system where software like podman or
flatpak are installed, wouldn't an unprivileged attacker be able to
trivially leverage that software to work around your apparmor
limitation? Would there be any security benefit in keeping
`kernel.apparmor_restrict_unprivileged_userns` set to 0 with the
presence of such software on the system?

For context, I'm trying to evaluate my options since we make extensive
use of bwrap in our systems. Currently, all my attempts to fix bwrap
ended with `bwrap: setting up uid map: Permission denied` which was
finally explained when I discovered this bug.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions