This sounds like a kernel regression.
The commit you link to is for SELinux, which is not enabled by default
in Ubuntu, so I doubt it is that specifically - instead I suspect this
is due to the following commit: https://git.launchpad.net/~ubuntu-
kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-
next&id=30bce26855c9171f8dee74d93308fd506730c914
The logic here:
int aa_profile_ns_perm(struct aa_profile *profile, struct common_audit_data *sa,
u32 request)
{
...
if (profile_unconfined(profile)) {
if (!unprivileged_userns_restricted ||
ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))
return 0;
aad(sa)->info = "User namespace creation restricted";
/* fall through to below allows complain mode to override */
} else {
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules),
list);
aa_state_t state;
state = RULE_MEDIATES(rules, aad(sa)->class);
if (!state)
/* TODO: add flag to complain about unmediated */
return 0;
perms = *aa_lookup_perms(&rules->policy, state);
}
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, sa, audit_ns_cb);
}
Seems to indicate that all unconfined processes that do not have
CAP_SYS_ADMIN will be denied the ability to use user namespaces - this
feels like a definite regression / policy change within the kernel
itself.
Should the kernel instead be built with
CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS=n ?
Or is this code not doing what it was intended to do.
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1990064
Title:
unconfined profile denies userns_create for chromium based processes
Status in apparmor package in Ubuntu:
New
Status in linux package in Ubuntu:
New
Bug description:
For Ubuntu 22.10, since the last kernel update, i canĀ“t launch any
chromium based browser, due to apparmor denying userns_create
dmesg shows:
apparmor="DENIED" operation="userns_create" class="namespace" info="User
namespace creation restricted" error=-13 profile="unconfined" pid=21323
comm="steamwebhelper" requested="userns_create" denied="userns_create"
This happens for every process which uses a chromium engine, like
google chrome itself or in this case steamwebhelper.
Might be related to this change?:
https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/
not sure if it got merged in this form though..
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
