Sorry, this answer has confused me even more... heres an example of what we're currently using, perhaps you can speak to that,,, the user in this case has no special rights, certainly not cap_sys_admin.
james@trinity:~$ grep james /etc/subuid james:100000:65536 james@trinity:~$ ls -asl .local/share/lxc/2004test/rootfs/ | head -8 total 68 4 drwxr-xr-x 17 100000 100000 4096 Aug 14 2020 . 4 drwxrwx--- 3 100000 james 4096 Aug 14 2020 .. 0 lrwxrwxrwx 1 100000 100000 7 Aug 14 2020 bin -> usr/bin 4 drwxr-xr-x 2 100000 100000 4096 Apr 15 2020 boot 4 drwxr-xr-x 3 100000 100000 4096 Aug 14 2020 dev 4 drwxr-xr-x 70 100000 100000 4096 Aug 14 2020 etc 4 drwxr-xr-x 3 100000 100000 4096 Aug 14 2020 home james@trinity:~$ whoami james james@trinity:~$ lxc-start -n 2004test james@trinity:~$ lxc-attach -n 2004test root@2004test:/# exit exit james@trinity:~$ lxc-stop -n 2004test james@trinity:~$ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: For Ubuntu 22.10, since the last kernel update, i canĀ“t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
