Lubuntu/livecd-rootfs
3
0
Fork 0
mirror of https://git.launchpad.net/livecd-rootfs synced 2025-10-15 09:04:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disable apparmor_restrict_unprivileged_userns in the live layers. (LP: #2122675)

Browse Source
This commit is contained in:
Michael Hudson-Doyle 2025-09-15 12:27:31 +12:00
parent 2fd6cb1609
commit 8de7b2eb10
3 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
livecd-rootfs (25.10.22) UNRELEASED; urgency=medium
* Disable apparmor_restrict_unprivileged_userns in the live layers.
(LP: #2122675)
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Mon, 15 Sep 2025 12:26:52 +1200
livecd-rootfs (25.10.21) questing; urgency=medium
* Fix daily-dangerous builds:

16
live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf Normal file
View File

@ -0,0 +1,16 @@
# AppArmor restrictions of unprivileged user namespaces
# Allows to restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor or not) will
# be denied the use of unprivileged user namespaces.
#
# See
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
#
# If it is desired to disable this restriction, it is preferable to create an
# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
# current file and sets this value to 0 rather than editing this current file
kernel.apparmor_restrict_unprivileged_userns = 0
kernel.apparmor_restrict_unprivileged_unconfined = 1

19
live-build/ubuntu/hooks/020-ubuntu-live.chroot_early
View File

@ -15,6 +15,25 @@ cat <<EOF > /etc/initramfs-tools/conf.d/default-layer.conf
LAYERFS_PATH=${PASS}.squashfs
EOF
cat <<EOF > /etc/sysctl.d/20-apparmor.conf
# AppArmor restrictions of unprivileged user namespaces
# Allows to restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor or not) will
# be denied the use of unprivileged user namespaces.
#
# See
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
#
# If it is desired to disable this restriction, it is preferable to create an
# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
# current file and sets this value to 0 rather than editing this current file
kernel.apparmor_restrict_unprivileged_userns = 0
kernel.apparmor_restrict_unprivileged_unconfined = 1
EOF
if which glib-compile-schemas >/dev/null 2>&1; then
glib-compile-schemas /usr/share/glib-2.0/schemas/
fi