Hi Simon,
The use of --unshare=network does not cause a regression with the bwrap profile. This is the full profile: https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict
If you look at the bwrap profile itself, you can see that it allows the use of all capabilities, but that on execs, it transitions to a profile that does not allow capabilities. That's bwrap can, briefly, use CAP_NET_ADMIN.
profile bwrap /usr/bin/bwrap ... { allow capability, ... allow px /** -> bwrap//&unpriv_bwrap, }
To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes` specifically and it worked as expected.
Hi Simon,
The use of --unshare=network does not cause a regression with the bwrap profile. /gitlab. com/apparmor/ apparmor/ -/blob/ aa74b9b12d9ed55 909489403a0c251 4b9ea6a95f/ profiles/ apparmor/ profiles/ extras/ bwrap-userns- restrict
This is the full profile: https:/
If you look at the bwrap profile itself, you can see that it allows the use of all capabilities, but that on execs, it transitions to a profile that does not allow capabilities. That's bwrap can, briefly, use CAP_NET_ADMIN.
profile bwrap /usr/bin/bwrap ... { &unpriv_ bwrap,
allow capability,
...
allow px /** -> bwrap//
}
To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes` specifically and it worked as expected.