(as unpriv user) now fails in current Ubuntu 24.04 noble. That still worked in released 23.10.
I am starting to test Cockpit on the current noble dailies [1] to make sure everything is ready for 24.04 LTS (as 23.10 was a bit of a disaster..), and aside from some non-fatal AppAmor noise this is the most important issue. This breaks /usr/lib/cockpit/cockpit-desktop , which uses an user namespace to isolate cockpit's web server + a browser, and that isolation is absolutely crucial for its security.
I can update cockpit-ws.deb to ship a new file /etc/apparmor.d/cockpit-desktop with
Just to make sure that we really talk about the same thing: This bug sounds like it is *intended* that
unshare --user --map-root-user /bin/bash -c whoami
(as unpriv user) now fails in current Ubuntu 24.04 noble. That still worked in released 23.10.
I am starting to test Cockpit on the current noble dailies [1] to make sure everything is ready for 24.04 LTS (as 23.10 was a bit of a disaster..), and aside from some non-fatal AppAmor noise this is the most important issue. This breaks /usr/lib/ cockpit/ cockpit- desktop , which uses an user namespace to isolate cockpit's web server + a browser, and that isolation is absolutely crucial for its security.
I can update cockpit-ws.deb to ship a new file /etc/apparmor. d/cockpit- desktop with
------ 8< -----------
abi <abi/4.0>,
include <tunables/global>
profile cockpit-desktop /usr/lib/ cockpit/ cockpit- desktop flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details. cockpit- desktop>
include if exists <local/
}
------ 8< -----------
I confirmed that this works fine. I just wanted to check that this is intended, and not circumventing your intentions here?
Thanks!
[1] https:/ /github. com/cockpit- project/ bots/pull/ 6048