A `SECURITY.md` file is now included upstream. As a note on the systemd services and including `CapabilityBoundingSet`, including `CapabilityBoundingSet=` appears to work on basic Ubuntu Desktop and WSL installs, but any restrictions here at all appear to fail in certain environments like VMs, resulting in a `Failed to drop capabilities: Operation not permitted ` error. My guess is that it has something to do with the fact that these are user services, not system services, and a configuration specific to the VM related to the requirement that "unprivileged user namespaces support to be enabled in the kernel via the "kernel.unprivileged_userns_clone=" sysctl".
Given that this prevents the service from starting entirely and that these are user services anyway, my personal feeling is to not restrict `CapabilityBoundingSet=`. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2118794 Title: [MIR] ubuntu-insights To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-insights/+bug/2118794/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
