Comment 7 for bug 2064672

Revision history for this message
Georgia Garcia (georgiag) wrote :

Hi Simon,

The use of --unshare=network does not cause a regression with the bwrap profile.
This is the full profile: https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict

If you look at the bwrap profile itself, you can see that it allows the use of all capabilities, but that on execs, it transitions to a profile that does not allow capabilities. That's bwrap can, briefly, use CAP_NET_ADMIN.

profile bwrap /usr/bin/bwrap ... {
  allow capability,
  ...
  allow px /** -> bwrap//&unpriv_bwrap,
}

To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes` specifically and it worked as expected.