There are three approaches: 1. Users will be able to use a GUI notification/pop-up to do this. A version of this is currently available in 24.10, it has been revised and a new iteration will soon land in 25.04, the plan is to SRU this back to 24.04 (23.10 is already out of support).
A demo video, https://gitlab.com/-/project/4484878/uploads/ea5f41c3e1799fcf4d6c0c41af86553a/demo_aa_notify.webm For now this is not integrated with the security-center etc. Long term a more integrated solution will happen. This is just a step to get a solution sooner than later. 2. the users can run pipx using sudo. The user namespace restriction does not apply to root processes. Yes this defeats the purpose of user namespaces, to provide a limited root. 3. the user can manually add a profile which is admittedly a very poor user experience. A basic template can be provided, I will have to play with pipx and mkosi before I can provide a template. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2092752 Title: Guidance for pipx binaries requiring user namespaces Status in apparmor package in Ubuntu: New Bug description: Basically - this question: https://askubuntu.com/questions/1536722/how-to-apply-apparmor-profile- to-pipx-binaries How can users installing tools via pipx configure AppArmor profiles for those tools, so they can be used to create user namespaces and act as root/with CAP_SYS_ADMIN etc within those namespaces? I raise this as a bug since, if I understand correctly, the new user namespace restrictions introduce a new (the only?) case where AppArmor profiles are required for the application to function. I guess this is just a question of providing examples & documentation so that non-AppArmor-experts can figure out the right magic to put in the profile. IIUC based on https://ubuntu.com/blog/ubuntu-23-10-restricted- unprivileged-user-namespaces, this affects 23.10+. I myself have only experience it with 24.04. The specific app I'm personally interested in is mkosi: https://github.com/systemd/mkosi but I believe this will affect a variety of different tools. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2092752/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
