Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the behavior of unprivileged user namespace mediation.
With the unprivileged_userns profile loaded, when a user namespace is created by an unprivileged unconfined application the task will be transitioned into the unprivileged_userns profile. The unprivileged_userns profile will then deny privileged operations capability, mount etc. Without the unprivileged_userns profile loaded, the creation of the user namespace will be denied. Through experimentation we have learned that many applications behave better (handle the errors better, eg. qtwebkit will handle the error and fallback to using a sandbox without usernamespaces while without the profile it crashes) with the unprivileged_userns loaded. So that has become the default behavior. You can experiment with changing the behavior by manually unloading the unprivileged_userns profile using sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns nsjail will likely require a profile to work, please see https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063976 Title: Apparmor breaking nsjail in AOSP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
