unconfined profile denies userns_create for chromium based processes
Bug #1990064 reported by
Timo Witte
This bug affects 7 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
For Ubuntu 22.10, since the last kernel update, i can´t launch any chromium based browser, due to apparmor denying userns_create
dmesg shows:
apparmor="DENIED" operation=
This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper.
Might be related to this change?: https:/
not sure if it got merged in this form though..
Changed in apparmor (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in linux (Ubuntu): | |
status: | Incomplete → Fix Released |
To post a comment you must log in.
This sounds like a kernel regression.
The commit you link to is for SELinux, which is not enabled by default in Ubuntu, so I doubt it is that specifically - instead I suspect this is due to the following commit: https:/ /git.launchpad. net/~ubuntu- kernel/ ubuntu/ +source/ linux/+ git/kinetic/ commit/ ?h=master- next&id= 30bce26855c9171 f8dee74d93308fd 506730c914
The logic here:
int aa_profile_ ns_perm( struct aa_profile *profile, struct common_audit_data *sa,
u32 request) unconfined( profile) ) { userns_ restricted ||
ns_ capable_ noaudit( current_ user_ns( ), CAP_SYS_ADMIN))
return 0;
{
...
if (profile_
if (!unprivileged_
/* fall through to below allows complain mode to override */
} else {
if (!state)
}
return aa_check_
}
Seems to indicate that all unconfined processes that do not have CAP_SYS_ADMIN will be denied the ability to use user namespaces - this feels like a definite regression / policy change within the kernel itself.
Should the kernel instead be built with CONFIG_ SECURITY_ APPARMOR_ RESTRICT_ USERNS= n ?
Or is this code not doing what it was intended to do.