An opt-in restriction does not work to address the user namespace attack surface problem. The unprivileged user namespace restriction is an intentional security feature, that allows fine grained control and mitigation of user namespace usage instead of having to completely disable kernel.unprivileged_userns_clone=0.
You can find more documentation https://discourse.ubuntu.com/t/mantic-minotaur-release-notes/35534#security-improvements https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 As noted there is an easy opt-out for users by sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 though you would be better off to confine the applications you want to allow to use unpriviled user namespaces. The easiest way to do this for users is to install apparmor-notify sudo apt install apparmor-notify the user will the get a notification/pop-up (depending on configuration) to allow creation of highly permissive profiles for applications that need to use the unprivileged user namespaces. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2136883 Title: apparmor_restrict_unprivileged_userns breaks some Electron, Chromium, and QtWebEngine applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2136883/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
