FWIW I don't think this proposed profile should be shipped upstream or in Ubuntu for bitbake - it allows any file anywhere on the filesystem under a path bitbake/bin/bitbake to use unprivileged user namespaces - ie. if I was a malware author I would have my malware create a second stage malware file called $HOME/bitbake/bin/bitbake it it would then be granted the use of userns by this profile (and hence could take advantage of userns as part of further exploitation). The specified attachment path regex is too broad.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
