Initial commit
This commit is contained in:
Jason Thistlethwaite
@@ -0,0 +1,52 @@
|
||||
## AppArmor bwrap fix
|
||||
|
||||
Ubuntu 24.04 and later can restrict unprivileged user namespaces through
|
||||
AppArmor. When that restriction applies to Bubblewrap, tools that use `bwrap`
|
||||
for sandboxed execution may fail before the intended command starts.
|
||||
|
||||
One common symptom is:
|
||||
|
||||
```text
|
||||
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
|
||||
```
|
||||
|
||||
This project installs a small AppArmor profile for `/usr/bin/bwrap` that keeps
|
||||
the profile otherwise unconfined while explicitly allowing user namespace
|
||||
creation.
|
||||
|
||||
## Install
|
||||
|
||||
Review the profile first:
|
||||
|
||||
```bash
|
||||
sed -n '1,120p' profiles/usr.bin.bwrap
|
||||
```
|
||||
|
||||
Install and reload it with:
|
||||
|
||||
```bash
|
||||
sudo ./install.sh
|
||||
```
|
||||
|
||||
The installer copies `profiles/usr.bin.bwrap` to
|
||||
`/etc/apparmor.d/usr.bin.bwrap` and reloads it with `apparmor_parser -r`.
|
||||
|
||||
## Verify
|
||||
|
||||
Run:
|
||||
|
||||
```bash
|
||||
./verify.sh
|
||||
```
|
||||
|
||||
The verifier prints the relevant namespace sysctls, checks that the bwrap
|
||||
profile is installed, and runs a minimal Bubblewrap smoke test.
|
||||
|
||||
## Security notes
|
||||
|
||||
This does not change system sysctl settings. It adds a targeted AppArmor profile
|
||||
for `/usr/bin/bwrap` with the `userns` permission needed by Bubblewrap on
|
||||
affected Ubuntu systems.
|
||||
|
||||
The profile is intentionally limited to bwrap. Browser-specific profiles and
|
||||
per-user home directory paths are out of scope for this project.
|
||||
Reference in New Issue
Block a user