So in short yes we are talking blocking this however its not as bad as that makes it sound. There is the immediate technical side, and the reason we must do that, and then there is longer term practical use side.
So the technical short answer is yes that will be blocked at least without additional confinement. Does it suck for people who want to setup containers without using root privs. Yes. There is just no way around this, we can't only block the bad uses, there is no way to know what they are in advance. The best we can do is default deny and selectively allow. And the ability to selectively allow can't be something the attacker can do without privilege, or they have an easy way to by-pass the restriction. With that said. It should be fairly easy to make sure there is a generic profile that will work with most lxc/lxd containers, and that can be transparent to the user. LXD already offers support for apparmor and the lxd devs are aware of the coming changes, so I expect the actual impact on your use case will be minimal to none. And there is always the option of adjust the sysctl to disable the feature or your systems. We just can't make that a default for the distro as it isn't secure. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: For Ubuntu 22.10, since the last kernel update, i canĀ“t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
