> sadly yes, the init script has a bail out that stops loading policy on the live cd
So am I understanding this correctly?
- everything in the live environment is effectively `unconfined`, and before 24.04 this increased security exposure (no mitigations for compromised/malicious apps) but could not break functionality (nothing is forbidden by policy, so everything works)
- but since 24.04, `unconfined` has fewer privileges than e.g. `steam` (it cannot create new user namespaces), so the extra security exposure of userns is avoided, but some functionality is missing
This makes the live-image considerably less useful for the purpose I've been using it for: as a clean-slate Ubuntu environment, where all settings that were not manually changed are at their defaults, and hacks/workarounds from one test cannot accidentally leak into other tests.
> sadly yes, the init script has a bail out that stops loading policy on the live cd
So am I understanding this correctly?
- everything in the live environment is effectively `unconfined`, and before 24.04 this increased security exposure (no mitigations for compromised/ malicious apps) but could not break functionality (nothing is forbidden by policy, so everything works)
- but since 24.04, `unconfined` has fewer privileges than e.g. `steam` (it cannot create new user namespaces), so the extra security exposure of userns is avoided, but some functionality is missing
This makes the live-image considerably less useful for the purpose I've been using it for: as a clean-slate Ubuntu environment, where all settings that were not manually changed are at their defaults, and hacks/workarounds from one test cannot accidentally leak into other tests.