Disabling the user namespace restriction is certainly one possible direction, and would be the easiest for Noble.
The other possible route is using aa-notify, which now has the ability to produce a prompt for the user. An example gif can be seen at https://gitlab.com/-/project/4484878/uploads/ea5f41c3e1799fcf4d6c0c41af86553a/demo_aa_notify.webm it is currently only in Oracular, and there are some bug fixes coming to the current version, but the plan is to SRU the ability to Noble. For those who want to play with it, instructions are below. It is available for noble via the ppa at https://launchpad.net/~apparmor- dev/+archive/ubuntu/apparmor-backports. it can be install via sudo apt install apparmor-notify basic instructions are available via man aa-notify it will install a default configuration in "/etc/apparmor/notify.conf". The default configuration can be modified on a per user basis by copying it to "$XDG_CONFIG_HOME/apparmor/notify.conf" which is generally "$HOME/.config/apparmor/notify.conf" or to "$HOME/.apparmor/notify.conf". A custom configuration is not needed unless you want to use filtering to make it less noisy. Currently regular notifications will happen for all apparmor events, but they can be filtered using the config file. the notifier can be started via the shell with aa-notify -p -s1 --prompt-filter=userns or by adding it to startup applications There is a bug with the user namespace notification where it currently requires "--prompt-filter=userns" as part of the command arguments instead of being set in the config file. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2065088 Title: AppArmor profiles allowing userns not immediately active in 24.04 live image Status in apparmor package in Ubuntu: Confirmed Bug description: Side issue from <https://github.com/ValveSoftware/steam-for- linux/issues/10843>. I saw this with Steam, but Ubuntu 24.04's AppArmor setup for Steam is quite simple, so I suspect that the same thing might happen for any of the other third-party software that needs an AppArmor profile for <https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844>. Steps to reproduce: 1. Boot an Ubuntu 24.04 live image, in a virtual machine with lots of RAM (I gave it 8G) so that it will have enough space on the root tmpfs to install Steam. Using Debian 12's libvirt and qemu, I found that virtio graphics didn't work, and used qxl as a workaround. 2. When prompted, choose a keyboard layout etc., and choose to "Try Ubuntu" rather than "Install Ubuntu". 3. Open a terminal 4. sudo dpkg --add-architecture i386 5. sudo apt update 6. sudo apt install steam (in this case steam is a transitional package with a dependency on steam-installer, both at version 1:1.0.0.79~ds-2) 7. steam 8. See a prompt warning me that Steam is proprietary binary-only software. Choose Install. 9. See a light grey progress bar "Steam setup / Updating Steam runtime environment...". Wait. 10. See a dark grey progress bar "Steam / Updating Steam... Downloading update (xxx of 465,450 KB)...". Wait. 11. Dark grey progress bar becomes "Steam / Updating Steam... Extracting package...". Wait. 12. Output in terminal shows "Restarting Steam by request...". Wait. Expected result: - /etc/apparmor.d/steam allows Steam to create new user namespaces, etc. - Steam starts successfully Actual result: - A dialog box with "Error / Steam now requires user namespaces to be enabled" - Audit log: apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=... comm="srt-bwrap" requested="userns_create" denied="userns_create" target="unprivileged_userns" Workaround: - Force Ubuntu's AppArmor profile for Steam to be reloaded: sudo apparmor_parser -Tr /etc/apparmor.d/steam - Run steam again To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065088/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
