> sadly yes, the init script has a bail out that stops loading policy on the live cd
So am I understanding this correctly? - everything in the live environment is effectively `unconfined`, and before 24.04 this increased security exposure (no mitigations for compromised/malicious apps) but could not break functionality (nothing is forbidden by policy, so everything works) - but since 24.04, `unconfined` has fewer privileges than e.g. `steam` (it cannot create new user namespaces), so the extra security exposure of userns is avoided, but some functionality is missing This makes the live-image considerably less useful for the purpose I've been using it for: as a clean-slate Ubuntu environment, where all settings that were not manually changed are at their defaults, and hacks/workarounds from one test cannot accidentally leak into other tests. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065088 Title: AppArmor profiles allowing userns not immediately active in 24.04 live image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
