It will affect both. The exact effect will depend on how things are set up. Unconfined privileged processes will still have access to create user namespaces as they see fit. The processes within the user namespace will be subject to similar restrictions.
There is still room for refinement of the mediation being done. Whether to virtualize the sysctl (not currently done), and what restrictions on nested user namespace should be enforced (whether a stack unconfined or system level unconfined is sufficient). But generally speaking, what uid mappings are being done within a container are not being taken into account by the mediation. If this is something to be consider the current mediation can be extended to support it. The mediation is based on current confinement and whether the task has cap_sys_admin. So currently it is possible to setup a container that is confined by a system level profile but unconfined within the container, and that has cap_sys_admin and have the container setup a further namespace. If the system level confinement restricts the creation of user namespace then regardless of the application is unconfined within the container or confined and allowing access to user namespaces then access will be restricted. There currently is a lot of flexibility in what is supported. Feedback over the next cycle or two as we refine the confinement and get things packaged up will be appreciated. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: For Ubuntu 22.10, since the last kernel update, i canĀ“t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
