[Bug 2122675] Re: Cannot unshare userns in livecd

John Johansen 2122675 at bugs.launchpad.net
Sun Sep 14 22:03:11 UTC 2025 

I have a slight preference for  the higher priority override ie. /usr/lib/sysctl.d/20-apparmor.conf the reason being this allows us to individually control the 2 sysctl settings where the whiteout will just disable both.
that is for ``/usr/lib/sysctl.d/20-apparmor.conf``` we can do

------------------------------------------------------------------------------

# AppArmor restrictions of unprivileged user namespaces

# Allows to restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor or not) will
# be denied the use of unprivileged user namespaces.
#
# See
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
#
# If it is desired to disable this restriction, it is preferable to create an
# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
# current file and sets this value to 0 rather than editing this current file
kernel.apparmor_restrict_unprivileged_userns = 0
kernel.apparmor_restrict_unprivileged_unconfined = 1

------------------------------------------------------------------------------

this will disable the unprivileged userns restriction but sill keep the
unprivileged_unconfined restriction

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2122675

Title:
  Cannot unshare userns in livecd

Status in apparmor package in Ubuntu:
  Confirmed
Status in livecd-rootfs package in Ubuntu:
  Confirmed

Bug description:
  Multiple components of Ubuntu Desktop daily-live are failing when
  trying to create a sandboxed user namespace:

  apparmor="DENIED" operation="userns_create" class="namespace"
  info="Userns create restricted - failed to find unprivileged_userns
  profile" error=-13 profile="unconfined" pid=9281 comm="bwrap"
  requested="userns_create" denied="userns_create"
  target="unprivileged_userns" execpath="/usr/bin/bwrap"

  This is seen affecting the loading of the wallpaper image (sandboxed
  through glycin -> bwrap) and the ubuntu-insights-collect.service
  (sandboxed through PrivateUsers=true in the unit file)

  Minimal reproducer:

  $ python3
  >>> import os
  >>> os.unshare(os.CLONE_NEWUSER)
  Traceback (most recent call last):
    File "<python-input-1>", line 1, in <module>
      os.unshare(os.CLONE_NEWUSER)
      ~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  PermissionError: [Errno 13] Permission denied

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122675/+subscriptions

More information about the foundations-bugs mailing list