[Touch-packages] [Bug 2030353] Re: Add infrastructure to support enabling userns restrictions via sysctl.d file

Wed, 30 Aug 2023 02:16:33 -0700 

This bug was fixed in the package apparmor - 4.0.0~alpha2-0ubuntu2

---------------
apparmor (4.0.0~alpha2-0ubuntu2) mantic; urgency=medium

  * Fix invalid JSON output from aa-status --json via upstream patch
    (LP: #2032994)
    - d/p/u/binutils-aa_status.c-quiet-verbose-outputs-when-json.patch

 -- Alex Murray <[email protected]>  Fri, 25 Aug 2023 09:48:24
+0930

** Changed in: apparmor (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2030353

Title:
  Add infrastructure to support enabling userns restrictions via
  sysctl.d file

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  As per https://discourse.ubuntu.com/t/spec-unprivileged-user-
  namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, the
  apparmor binary package should provide a file named
  /usr/lib/sysctl.d/10-apparmor.conf that contains the following
  contents:

  # AppArmor restrictions of unprivileged user namespaces
  # Restrict the use of unprivileged user namespaces to applications
  # which have an AppArmor profile loaded which specifies the userns
  # permission. All other applications (whether confined by AppArmor
  # or not) will be denied the use of unprivileged user namespaces.
  #
  # See 
https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
  #
  # If it is desired to disable this restriction, it is preferable to
  # create an additional file named /etc/sysctl.d/20-apparmor.conf
  # which will override this current file and sets this value to 0
  # rather than editing this current file
  # THIS IS CURRENTLY DISABLED BUT WILL BE ENABLED IN A FUTURE UPLOAD
  # AS DETAILED ABOVE
  kernel.apparmor_restrict_unprivileged_userns = 0

  If we enable this currently it would then cause existing applications
  which use unprivileged user namespaces in Ubuntu to fail - as such,
  this file will set the sysctl to 0 for now and will be updated in a
  future upload to enable it, along with a set of apparmor profiles for
  the various applications in the Ubuntu archive which require the use
  of unprivileged user namespaces.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2030353/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to