Small reproducer for the capability + unshare case:
mkdir test
cd test
echo hello > hello.txt
sudo chown 100000:100000 hello.txt
sudo chmod 0600 hello.txt
$ l hello.txt
-rw------- 1 100000 100000 6 Sep 9 20:46 hello.txt
With capabilities allowed in /etc/apparmor.d/unprivileged_userns:
profile unprivileged_userns {
audit allow capability,
audit deny change_profile,
This works:
$ unshare --user --map-auto --map-user=65536 --map-group=65536 --keep-caps --
cat hello.txt
hello
With capabilities denied, as original:
profile unprivileged_userns {
audit deny capability,
audit deny change_profile,
It fails:$ unshare --user --map-auto --map-user=65536 --map-group=65536
--keep-caps -- cat hello.txt
cat: hello.txt: Permission denied
And there is no DENIED message in dmesg, just this:
[Mon Sep 9 20:50:47 2024] audit: type=1400 audit(1725915047.797:188):
apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns
create - transitioning profile" profile="unconfined" pid=51741 comm="unshare"
requested="userns_create" target="unprivileged_userns"
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2078255
Title:
autopkgtest error: rm: cannot remove '/tmp/tmp.OoiXjLc9ID/root':
Permission denied
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nbd/+bug/2078255/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
