I tried that with the daily questing desktop image, and seemed to work. So we need to somehow either inject that command early in that image's boot, or use one of the options from comment #3, or add a quirk to the process that builds these images to remove the /usr/lib/sysctl.d/10-apparmor.conf from it.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2122675 Title: Cannot unshare userns in livecd Status in apparmor package in Ubuntu: Confirmed Bug description: Multiple components of Ubuntu Desktop daily-live are failing when trying to create a sandboxed user namespace: apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=9281 comm="bwrap" requested="userns_create" denied="userns_create" target="unprivileged_userns" execpath="/usr/bin/bwrap" This is seen affecting the loading of the wallpaper image (sandboxed through glycin -> bwrap) and the ubuntu-insights-collect.service (sandboxed through PrivateUsers=true in the unit file) Minimal reproducer: $ python3 >>> import os >>> os.unshare(os.CLONE_NEWUSER) Traceback (most recent call last): File "<python-input-1>", line 1, in <module> os.unshare(os.CLONE_NEWUSER) ~~~~~~~~~~^^^^^^^^^^^^^^^^^^ PermissionError: [Errno 13] Permission denied To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122675/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
