Merge remote-tracking branch 'arraybolt3/arraybolt3/apparmor' into ubuntu/master

live-build/auto/config

@@ -1560,7 +1560,8 @@ case $PROJECT:${SUBPROJECT:-} in
 	ubuntu-cpc:*|ubuntu-server:live|ubuntu:desktop-preinstalled| \
 		ubuntu-wsl:*|ubuntu-mini-iso:*|ubuntu-test-iso:*|ubuntu:|ubuntu:dangerous|ubuntu-oem:*| \
 		ubuntustudio:*|edubuntu:*|ubuntu-budgie:*|ubuntucinnamon:*|xubuntu:*| \
-	        ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*)
+		ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*|kubuntu:*| \
+		ubuntu-unity:*)
 		# Ensure that most things e.g. includes.chroot are copied as is
 		for entry in ${LIVECD_ROOTFS_ROOT}/live-build/${PROJECT}/*; do
 			case $entry in

live-build/kubuntu/hooks/020-kubuntu-live.chroot_early

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf

@@ -1,16 +1,5 @@
 # AppArmor restrictions of unprivileged user namespaces
 
-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1

live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF

live-build/ubuntu/hooks/020-ubuntu-live.chroot_early

@@ -18,18 +18,7 @@ EOF
 cat <<EOF > /etc/sysctl.d/20-apparmor.conf
 # AppArmor restrictions of unprivileged user namespaces
 
-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1
 EOF