Comment 4 for bug 2046477

Just to make sure that we really talk about the same thing: This bug sounds like it is *intended* that

    unshare --user --map-root-user /bin/bash -c whoami

(as unpriv user) now fails in current Ubuntu 24.04 noble. That still worked in released 23.10.

I am starting to test Cockpit on the current noble dailies [1] to make sure everything is ready for 24.04 LTS (as 23.10 was a bit of a disaster..), and aside from some non-fatal AppAmor noise this is the most important issue. This breaks /usr/lib/cockpit/cockpit-desktop , which uses an user namespace to isolate cockpit's web server + a browser, and that isolation is absolutely crucial for its security.

I can update cockpit-ws.deb to ship a new file /etc/apparmor.d/cockpit-desktop with

------ 8< -----------
abi <abi/4.0>,

include <tunables/global>

profile cockpit-desktop /usr/lib/cockpit/cockpit-desktop flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/cockpit-desktop>
}
------ 8< -----------

I confirmed that this works fine. I just wanted to check that this is intended, and not circumventing your intentions here?

Thanks!

[1] https://github.com/cockpit-project/bots/pull/6048