Communication can always be improved, it is really hard to reach the full community and make everyone aware of what is going on and why. The plan originally was to have desktop components as part of 24.04 but things have just are taken way, way, longer than was planned for.
The feature it self was available for beta testing during the 22.10 cycle via ppa kernel, disabled by default but in the 23.04 release. Had revisions and improvements were added for the 23.10 release but it was still left disabled by default. For 23.10 there were release notes and it was blogged about (both of the links above were for 23.10, there were some additional blogs/articles as well), before being finally enabled by default in 24.04 (further release notes and blogging, eg). https://ubuntu.com/blog/ubuntu-desktop-24-04-noble-numbat-deep-dive https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#p-99950-security-improvements https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts The desktop side in particular has been slow and problematic, and it really should have been part of the 24.04 release. That didn't happen for several reasons, but the decision was made to move forward with the restriction because unprivileged user namespaces were a core piece of several high priority exploits every year. Admittedly they are not so critical on the desktop, but very much so for cloud providers using containers. Sadly the desktop components are still not enabled by default for several reasons. In particular the desktop team wants several improvements to the whole notification/prompt side of things before it can land as a default part of the desktop. This requires both design review, and desktop team time which has been lacking, they have had other priorities like FDE (full disk encryption) eating their time. The new schedule is looking like probably landing the newer GUI components in 26.10 (they didn't make 25.10, and with 26.04 being an LTS ...) This does give the GUI components more time to improve and mature. The prompt will be able to move from the post facto that it is today, to a true permission prompt (ie. https://discourse.ubuntu.com/t/ubuntu- desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963 except for regular desktop applications not just snaps). There should also be a desktop component (whether in gnome settings or the security center) to allow enabling, disabling, and changing the prompted permissions on a per application basis, and by then we might also be able to tie it into cryptographic hashes for applications, so that known binaries/hashes for different upstreams can automatically be given permissions, reducing the prompt to only custom/unknown applications. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2136883 Title: apparmor_restrict_unprivileged_userns breaks some Electron, Chromium, and QtWebEngine applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2136883/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
