If you want you can test the attached profile. It will allow bwrap to work in most situations. There are a few places Where it will still cause failures 1. if the child that bwrao launches requires privilege in the unprivileged user namespace. 2. if the child profile has issues due to no-new-privileges 3. some applications that use bwrap to setup their sandbox may break for various reasons. Eg. this is known to cause some issues with flatpaks. The solution for these is a profile for those applications. In the case of flatpak its profile needs to be updated.
Both of those should be ** Attachment added: "update bwrap profile" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2089378/+attachment/5839551/+files/bwrap-userns-restrict -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2089378 Title: bwrap needs an apparmor profile to work Status in apparmor package in Ubuntu: Invalid Bug description: Ubuntu Version: 24.04.1 Package: apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3 Due to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces bwrap does not work out of the box anymore. The error is: bwrap: setting up uid map: Permission denied I fixed it by creating this file: /etc/apparmor.d/bwrap ``` abi <abi/4.0>, include <tunables/global> profile bwrap /usr/bin/bwrap flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/bwrap> } ``` Could you include this fix in the apparmor package? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2089378/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
