I have a slight preference for the higher priority override ie. /usr/lib/sysctl.d/20-apparmor.conf the reason being this allows us to individually control the 2 sysctl settings where the whiteout will just disable both. that is for ``/usr/lib/sysctl.d/20-apparmor.conf``` we can do
------------------------------------------------------------------------------ # AppArmor restrictions of unprivileged user namespaces # Allows to restrict the use of unprivileged user namespaces to applications # which have an AppArmor profile loaded which specifies the userns # permission. All other applications (whether confined by AppArmor or not) will # be denied the use of unprivileged user namespaces. # # See # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined # # If it is desired to disable this restriction, it is preferable to create an # additional file named /etc/sysctl.d/20-apparmor.conf which will override this # current file and sets this value to 0 rather than editing this current file kernel.apparmor_restrict_unprivileged_userns = 0 kernel.apparmor_restrict_unprivileged_unconfined = 1 ------------------------------------------------------------------------------ this will disable the unprivileged userns restriction but sill keep the unprivileged_unconfined restriction -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122675 Title: Cannot unshare userns in livecd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122675/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
