I spoke with the security team, and they dislike the idea of reducing sandboxing, but they also acknowledge that this is an issue with how systemd user services and unprivileged user namespace restrictions work given the current default configuration on Ubuntu.
Their conclusion is that they’ll try and find a way to resolve situations like this in the future, but this will very likely not be something that lands for Resolute as it will be a major change. As such, I’m marking this as deferred overall, though likely a 'won’t fix' for Resolute. It may be something to revisit in the future. For now, we'll just have to live with the periodic pollution in the syslogs. https://gitlab.com/apparmor/apparmor/-/issues/585 ** Changed in: ubuntu-insights (Ubuntu Resolute) Status: In Progress => Deferred ** Changed in: ubuntu-insights (Ubuntu Resolute) Assignee: Kat Kuo (kkuo) => (unassigned) ** Changed in: ubuntu-insights (Ubuntu Resolute) Status: Deferred => Won't Fix ** Changed in: ubuntu-insights (Ubuntu Resolute) Status: Won't Fix => Deferred -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127962 Title: AppArmor DENIED capable operation in unprivileged_userns To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2127962/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
