[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Thanks for the detailed reply @jjohansen, Do you think it would be feasible to spawn a pop-up that says something like "This application uses namespaces which is considered vulnerable to exploits, are you sure you want to continue?" and ask for the password to allow the application to run. This would resolve the issue while still allowing portable applications to run properly. This could be achieved for example providing a tool to ask apparmor for permissions. From my side I can just detect if apparmor is used and ask apparmor to grant access to namespaces, in term, apparmor would spawn a pop-up for the user saying that my application is requesting this permission. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Thanks for the reply! My use case is this one 'shipped as a .tar.gz that people unpack into their home dir and then use'. To me it seems counter-intuitive to force applications to run un-sanboxed for added security; both the solutions proposed (with the application profile and to turn off the user namespace restrictions) would require root privileges, which I currently do not require users to have to be able to run my application. Does Ubuntu have plans for an alternative to bubblewrap sandboxing? Blocking kernel features because they might be exploited seems really extreme. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Hello, Pardon my ignorance, but I ship applications with my own build of bubblewrap to run in a sandboxed manner. bwrap's pivot_root allows my application to work across several distros without worrying about issues with missing or incompatible libraries; it also makes possible to run the same binary on both musl and glibc systems. Does this mean that this will never work on ubuntu again even after the proposed fix (since I do not use the system provided /usr/bin/bwrap binary)? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs