mirror of
https://git.launchpad.net/livecd-rootfs
synced 2025-10-16 09:34:11 +00:00
Disable apparmor_restrict_unprivileged_userns in the live layers. (LP: #2122675)
This commit is contained in:
parent
2fd6cb1609
commit
8de7b2eb10
7
debian/changelog
vendored
7
debian/changelog
vendored
@ -1,3 +1,10 @@
|
|||||||
|
livecd-rootfs (25.10.22) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
|
* Disable apparmor_restrict_unprivileged_userns in the live layers.
|
||||||
|
(LP: #2122675)
|
||||||
|
|
||||||
|
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Mon, 15 Sep 2025 12:26:52 +1200
|
||||||
|
|
||||||
livecd-rootfs (25.10.21) questing; urgency=medium
|
livecd-rootfs (25.10.21) questing; urgency=medium
|
||||||
|
|
||||||
* Fix daily-dangerous builds:
|
* Fix daily-dangerous builds:
|
||||||
|
@ -0,0 +1,16 @@
|
|||||||
|
# AppArmor restrictions of unprivileged user namespaces
|
||||||
|
|
||||||
|
# Allows to restrict the use of unprivileged user namespaces to applications
|
||||||
|
# which have an AppArmor profile loaded which specifies the userns
|
||||||
|
# permission. All other applications (whether confined by AppArmor or not) will
|
||||||
|
# be denied the use of unprivileged user namespaces.
|
||||||
|
#
|
||||||
|
# See
|
||||||
|
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
|
||||||
|
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
|
||||||
|
#
|
||||||
|
# If it is desired to disable this restriction, it is preferable to create an
|
||||||
|
# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
|
||||||
|
# current file and sets this value to 0 rather than editing this current file
|
||||||
|
kernel.apparmor_restrict_unprivileged_userns = 0
|
||||||
|
kernel.apparmor_restrict_unprivileged_unconfined = 1
|
@ -15,6 +15,25 @@ cat <<EOF > /etc/initramfs-tools/conf.d/default-layer.conf
|
|||||||
LAYERFS_PATH=${PASS}.squashfs
|
LAYERFS_PATH=${PASS}.squashfs
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
cat <<EOF > /etc/sysctl.d/20-apparmor.conf
|
||||||
|
# AppArmor restrictions of unprivileged user namespaces
|
||||||
|
|
||||||
|
# Allows to restrict the use of unprivileged user namespaces to applications
|
||||||
|
# which have an AppArmor profile loaded which specifies the userns
|
||||||
|
# permission. All other applications (whether confined by AppArmor or not) will
|
||||||
|
# be denied the use of unprivileged user namespaces.
|
||||||
|
#
|
||||||
|
# See
|
||||||
|
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
|
||||||
|
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
|
||||||
|
#
|
||||||
|
# If it is desired to disable this restriction, it is preferable to create an
|
||||||
|
# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
|
||||||
|
# current file and sets this value to 0 rather than editing this current file
|
||||||
|
kernel.apparmor_restrict_unprivileged_userns = 0
|
||||||
|
kernel.apparmor_restrict_unprivileged_unconfined = 1
|
||||||
|
EOF
|
||||||
|
|
||||||
if which glib-compile-schemas >/dev/null 2>&1; then
|
if which glib-compile-schemas >/dev/null 2>&1; then
|
||||||
glib-compile-schemas /usr/share/glib-2.0/schemas/
|
glib-compile-schemas /usr/share/glib-2.0/schemas/
|
||||||
fi
|
fi
|
||||||
|
Loading…
x
Reference in New Issue
Block a user