From 8de7b2eb105f245e2bae1333ea47841675c2be11 Mon Sep 17 00:00:00 2001 From: Michael Hudson-Doyle Date: Mon, 15 Sep 2025 12:27:31 +1200 Subject: [PATCH] Disable apparmor_restrict_unprivileged_userns in the live layers. (LP: #2122675) --- debian/changelog | 7 +++++++ .../etc/sysctl.d/20-apparmor.conf | 16 ++++++++++++++++ .../ubuntu/hooks/020-ubuntu-live.chroot_early | 19 +++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf diff --git a/debian/changelog b/debian/changelog index 13e9886e..25a7020c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +livecd-rootfs (25.10.22) UNRELEASED; urgency=medium + + * Disable apparmor_restrict_unprivileged_userns in the live layers. + (LP: #2122675) + + -- Michael Hudson-Doyle Mon, 15 Sep 2025 12:26:52 +1200 + livecd-rootfs (25.10.21) questing; urgency=medium * Fix daily-dangerous builds: diff --git a/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf b/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf new file mode 100644 index 00000000..b6accdc6 --- /dev/null +++ b/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf @@ -0,0 +1,16 @@ +# AppArmor restrictions of unprivileged user namespaces + +# Allows to restrict the use of unprivileged user namespaces to applications +# which have an AppArmor profile loaded which specifies the userns +# permission. All other applications (whether confined by AppArmor or not) will +# be denied the use of unprivileged user namespaces. +# +# See +# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction +# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined +# +# If it is desired to disable this restriction, it is preferable to create an +# additional file named /etc/sysctl.d/20-apparmor.conf which will override this +# current file and sets this value to 0 rather than editing this current file +kernel.apparmor_restrict_unprivileged_userns = 0 +kernel.apparmor_restrict_unprivileged_unconfined = 1 diff --git a/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early b/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early index 8dad7b80..f98719bc 100755 --- a/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early +++ b/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early @@ -15,6 +15,25 @@ cat < /etc/initramfs-tools/conf.d/default-layer.conf LAYERFS_PATH=${PASS}.squashfs EOF +cat < /etc/sysctl.d/20-apparmor.conf +# AppArmor restrictions of unprivileged user namespaces + +# Allows to restrict the use of unprivileged user namespaces to applications +# which have an AppArmor profile loaded which specifies the userns +# permission. All other applications (whether confined by AppArmor or not) will +# be denied the use of unprivileged user namespaces. +# +# See +# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction +# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined +# +# If it is desired to disable this restriction, it is preferable to create an +# additional file named /etc/sysctl.d/20-apparmor.conf which will override this +# current file and sets this value to 0 rather than editing this current file +kernel.apparmor_restrict_unprivileged_userns = 0 +kernel.apparmor_restrict_unprivileged_unconfined = 1 +EOF + if which glib-compile-schemas >/dev/null 2>&1; then glib-compile-schemas /usr/share/glib-2.0/schemas/ fi