Sorry for the delay on this, we had some bugs to chase down. The following PPA has an update to how user namespace mediation is being handled. For the unconfined case there are two options
1. If the unprivileged_userns profile does not exist, unprivileged user namespace creation is denied as before. 2. If the unprivileged_userns profile exists (ie. is loaded into the kernel), unprivileged user namespace creation is allowed an will result in a transition into the unprivileged_userns profile. The unprivileged_userns profile with then deny all capabilities within the profile. Execution of applications is allowed within the unprivileged_userns profile but, they will result in a stack with the unprivileged_userns profile, that is to say the unprivileged_userns profile can not be dropped (capabilities can not be gained). There is still some additional functionality to land that will give profile authors more control, but what is present here should be enough to start testing. https://launchpad.net/~apparmor-dev/+archive/ubuntu/unprivileged-userns Note: the apparmor_restriction_unprivileged_unconfined needs to be enabled to test the above user namespace behavior. See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Confirmed Status in angelfish package in Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Confirmed Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Confirmed Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Confirmed Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kiwix package in Ubuntu: Confirmed Status in konqueror package in Ubuntu: Confirmed Status in kontact package in Ubuntu: Confirmed Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
