@ross: atm, correct unshare does Not work as it does not have a profile enabled by default. However this will be partially fixed via SRU. The SRU for apparmor 4.0.1 includes an example profile for unshare*, that will allow unshare to create user namespaces and even have capabilities within the user namespace, but any child it execs whether in the user namespace or outside of it will not have those privileges.
This will enable unshare to be used for some use cases but not all. Basically it will NOT work for the use case where the executed child needs privileges within the user namespace. This use case has to be privileged as other wise it allows the unprivileged user to by-pass the restriction. * Note: the 4.0.1 SRU does not enable the unshare profile by default, as there needs to be further testing that we are not regressing current unshare users like LXD. The plan is to enable with a targeted follow-on SRU that does only does 1 thing, enable the profile by default. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
