Hello Hadmut, thanks for the feedback. This is a tricky situation -- chromium-browser's new sandboxing code requests a large number of system capabilities inside a user namespace. The current AppArmor profile language and enforcement engine has no way to describe "these capabilities are only valid inside a user namespace". It's not clear how we should handle this. We could grant the capabilities and let things work, but have zero security if accidentally run by the admin, or we could deny the capabilities and break the sandboxing.
Because it's difficult to have a good profile in the face of this, we haven't shipped the profile in a package that would have more users. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647142 Title: usr.bin.chromium-browser terribly outdated To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1647142/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
