ubuntustudio-bugs team mailing list archive

[John Johansen <2046844@xxxxxxxxxxxxxxxxxx>]

Sorry for the delay on this, we had some bugs to chase down. The
following PPA has an update to how user namespace mediation is being
handled. For the unconfined case there are two options

1. If the unprivileged_userns profile does not exist, unprivileged user
namespace creation is denied as before.

2. If the unprivileged_userns profile exists (ie. is loaded into the
kernel), unprivileged user namespace creation is allowed an will result
in a transition into the unprivileged_userns profile. The
unprivileged_userns profile with then deny all capabilities within the
profile. Execution of applications is allowed within the
unprivileged_userns profile but, they will result in a stack with the
unprivileged_userns profile, that is to say the unprivileged_userns
profile can not be dropped (capabilities can not be gained).

There is still some additional functionality to land that will give
profile authors more control, but what is present here should be enough
to start testing.

https://launchpad.net/~apparmor-dev/+archive/ubuntu/unprivileged-userns

Note: the apparmor_restriction_unprivileged_unconfined needs to be
enabled to test the above user namespace behavior. See
https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akregator package in Ubuntu:
  Confirmed
Status in angelfish package in Ubuntu:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Confirmed
Status in devhelp package in Ubuntu:
  Confirmed
Status in digikam package in Ubuntu:
  Confirmed
Status in epiphany-browser package in Ubuntu:
  Confirmed
Status in evolution package in Ubuntu:
  Confirmed
Status in falkon package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Confirmed
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Confirmed
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kiwix package in Ubuntu:
  Confirmed
Status in konqueror package in Ubuntu:
  Confirmed
Status in kontact package in Ubuntu:
  Confirmed
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Confirmed
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Confirmed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Confirmed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions