Control: tag -1 + moreinfo Hi,
Vincent Lefevre (2025-02-25): >> This actually occurs only with firejail (I actually use a wrapper >> doing that), e.g. >> >> firejail /usr/bin/firefox >> >> According to "ps -efZ", it is the firejail-default AppArmor profile >> that is used. Good to know! I have never looked at how firejail uses AppArmor. > I suspect that this is because the firejail-default AppArmor profile > does not use "userns" (contrary to the firefox AppArmor profile, > which completely changed). I thought "userns" was a no-op on mainline (read: non-Ubuntu) kernels. But who knows :) And indeed, it does look like $something is blocking unprivileged user namespaces. Let's try to figure out what $something is. Can you try adding the "userns," line to the firejail-default AppArmor profile and see if you can reproduce? Another thing that could be worth trying (independently from the previous one) is to revert /usr/share/apparmor-features/features to the previous version i.e. revert the changes from this commit: https://salsa.debian.org/apparmor-team/apparmor/-/commit/71c0d1bfdd0556cb8466913d65ca4f6fced14b63 Then reboot the system and try to reproduce. Cheers, -- intrigeri
