Comment 3 for bug 1990064

Not a regression, or at least an intended regression (ie. it is doing exactly what is intended). This is exactly what has been talked about for 6+ months. unprivileged user_namespaces are going away, but instead of the big system level sysctl we can allow them on a per application basis.

The only question is whether we default this off for 22.10

With the current kernel there are two options for dealing with this

1. for applications that don't have CAP_SYS_ADMIN confine the application if it needs to use user namespaces

2. set the sysctl apparmor_restrict_unprivileged_userns to 0

Its possible we could set this option in the kernel to default N. But it HAS to change soon. unprivileged usernamespaces have been used as part of the exploit chain in multiple attacks over the last several years. Debian defaults them off with the sysctl, and this gives them a potential option to move forward.

I will re-iterate, unprivieged user_namespaces are going away, this is a requirement.