> Previously we only had the option of using a system wide sysctl
> kernel.unprivileged_userns_clone to disable unprivileged user
> namespaces. Debian defaults this to off, and you have to opt in.

Just to avoid misunderstandings (I failed to parse the above sentence
unambiguously): in Debian, unprivileged user namespaces have been
enabled by default since Bullseye.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1990064

Title:
  unconfined profile denies userns_create for chromium based processes

Status in apparmor package in Ubuntu:
  Confirmed
Status in linux package in Ubuntu:
  Incomplete

Bug description:
  For Ubuntu 22.10, since the last kernel update, i can“t launch any
  chromium based browser, due to apparmor denying userns_create

  dmesg shows:
  apparmor="DENIED" operation="userns_create" class="namespace" info="User 
namespace creation restricted" error=-13 profile="unconfined" pid=21323 
comm="steamwebhelper" requested="userns_create" denied="userns_create"

  This happens for every process which uses a chromium engine, like
  google chrome itself or in this case steamwebhelper.

  Might be related to this change?:
  
https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/

  not sure if it got merged in this form though..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to