From edec1f4a3f9548cd292145f6e76f199dd84293ed Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 27 Mar 2026 11:51:58 -0400 Subject: [PATCH] Disable AppArmor user namespace restrictions on the live ISOs for Kubuntu and Ubuntu Unity --- live-build/auto/config | 3 ++- .../kubuntu/hooks/020-kubuntu-live.chroot_early | 11 +++++++++++ .../etc/sysctl.d/20-apparmor.conf | 13 +------------ .../hooks/020-ubuntu-unity-live.chroot_early | 11 +++++++++++ .../ubuntu/hooks/020-ubuntu-live.chroot_early | 13 +------------ 5 files changed, 26 insertions(+), 25 deletions(-) create mode 100644 live-build/kubuntu/hooks/020-kubuntu-live.chroot_early create mode 100644 live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early diff --git a/live-build/auto/config b/live-build/auto/config index 8284c37b..71c03d1e 100755 --- a/live-build/auto/config +++ b/live-build/auto/config @@ -1567,7 +1567,8 @@ case $PROJECT:${SUBPROJECT:-} in ubuntu-cpc:*|ubuntu-server:live|ubuntu:desktop-preinstalled| \ ubuntu-wsl:*|ubuntu-mini-iso:*|ubuntu-test-iso:*|ubuntu:|ubuntu:dangerous|ubuntu-oem:*| \ ubuntustudio:*|edubuntu:*|ubuntu-budgie:*|ubuntucinnamon:*|xubuntu:*| \ - ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*) + ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*|kubuntu:*| \ + ubuntu-unity:*) # Ensure that most things e.g. includes.chroot are copied as is for entry in ${LIVECD_ROOTFS_ROOT}/live-build/${PROJECT}/*; do case $entry in diff --git a/live-build/kubuntu/hooks/020-kubuntu-live.chroot_early b/live-build/kubuntu/hooks/020-kubuntu-live.chroot_early new file mode 100644 index 00000000..75b932ab --- /dev/null +++ b/live-build/kubuntu/hooks/020-kubuntu-live.chroot_early @@ -0,0 +1,11 @@ +#! /bin/sh + +set -eu + +cat < /etc/sysctl.d/20-apparmor.conf +# AppArmor restrictions of unprivileged user namespaces + +# Disables AppArmor user namespace restrictions on the live ISO. +kernel.apparmor_restrict_unprivileged_userns = 0 +kernel.apparmor_restrict_unprivileged_unconfined = 1 +EOF diff --git a/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf b/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf index b6accdc6..b1a98472 100644 --- a/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf +++ b/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf @@ -1,16 +1,5 @@ # AppArmor restrictions of unprivileged user namespaces -# Allows to restrict the use of unprivileged user namespaces to applications -# which have an AppArmor profile loaded which specifies the userns -# permission. All other applications (whether confined by AppArmor or not) will -# be denied the use of unprivileged user namespaces. -# -# See -# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction -# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined -# -# If it is desired to disable this restriction, it is preferable to create an -# additional file named /etc/sysctl.d/20-apparmor.conf which will override this -# current file and sets this value to 0 rather than editing this current file +# Disables AppArmor user namespace restrictions on the live ISO. kernel.apparmor_restrict_unprivileged_userns = 0 kernel.apparmor_restrict_unprivileged_unconfined = 1 diff --git a/live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early b/live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early new file mode 100644 index 00000000..75b932ab --- /dev/null +++ b/live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early @@ -0,0 +1,11 @@ +#! /bin/sh + +set -eu + +cat < /etc/sysctl.d/20-apparmor.conf +# AppArmor restrictions of unprivileged user namespaces + +# Disables AppArmor user namespace restrictions on the live ISO. +kernel.apparmor_restrict_unprivileged_userns = 0 +kernel.apparmor_restrict_unprivileged_unconfined = 1 +EOF diff --git a/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early b/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early index f98719bc..79cd6b65 100755 --- a/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early +++ b/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early @@ -18,18 +18,7 @@ EOF cat < /etc/sysctl.d/20-apparmor.conf # AppArmor restrictions of unprivileged user namespaces -# Allows to restrict the use of unprivileged user namespaces to applications -# which have an AppArmor profile loaded which specifies the userns -# permission. All other applications (whether confined by AppArmor or not) will -# be denied the use of unprivileged user namespaces. -# -# See -# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction -# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined -# -# If it is desired to disable this restriction, it is preferable to create an -# additional file named /etc/sysctl.d/20-apparmor.conf which will override this -# current file and sets this value to 0 rather than editing this current file +# Disables AppArmor user namespace restrictions on the live ISO. kernel.apparmor_restrict_unprivileged_userns = 0 kernel.apparmor_restrict_unprivileged_unconfined = 1 EOF