Jason Thistlethwaite
53 lines
1.3 KiB
Markdown
Executable File
53 lines
1.3 KiB
Markdown
Executable File
## AppArmor bwrap fix
|
|
|
|
Ubuntu 24.04 and later can restrict unprivileged user namespaces through
|
|
AppArmor. When that restriction applies to Bubblewrap, tools that use `bwrap`
|
|
for sandboxed execution may fail before the intended command starts.
|
|
|
|
One common symptom is:
|
|
|
|
```text
|
|
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
|
|
```
|
|
|
|
This project installs a small AppArmor profile for `/usr/bin/bwrap` that keeps
|
|
the profile otherwise unconfined while explicitly allowing user namespace
|
|
creation.
|
|
|
|
## Install
|
|
|
|
Review the profile first:
|
|
|
|
```bash
|
|
sed -n '1,120p' profiles/usr.bin.bwrap
|
|
```
|
|
|
|
Install and reload it with:
|
|
|
|
```bash
|
|
sudo ./install.sh
|
|
```
|
|
|
|
The installer copies `profiles/usr.bin.bwrap` to
|
|
`/etc/apparmor.d/usr.bin.bwrap` and reloads it with `apparmor_parser -r`.
|
|
|
|
## Verify
|
|
|
|
Run:
|
|
|
|
```bash
|
|
./verify.sh
|
|
```
|
|
|
|
The verifier prints the relevant namespace sysctls, checks that the bwrap
|
|
profile is installed, and runs a minimal Bubblewrap smoke test.
|
|
|
|
## Security notes
|
|
|
|
This does not change system sysctl settings. It adds a targeted AppArmor profile
|
|
for `/usr/bin/bwrap` with the `userns` permission needed by Bubblewrap on
|
|
affected Ubuntu systems.
|
|
|
|
The profile is intentionally limited to bwrap. Browser-specific profiles and
|
|
per-user home directory paths are out of scope for this project.
|