Comment 36 for bug 2056555

FWIW I don't think this proposed profile should be shipped upstream or in Ubuntu for bitbake - it allows any file anywhere on the filesystem under a path bitbake/bin/bitbake to use unprivileged user namespaces - ie. if I was a malware author I would have my malware create a second stage malware file called $HOME/bitbake/bin/bitbake it it would then be granted the use of userns by this profile (and hence could take advantage of userns as part of further exploitation). The specified attachment path regex is too broad.