zlacker

[parent] [thread] 1 comments
1. waerhe+(OP)[view] [source] 2026-02-03 23:28:30
Nice approach! On Ubuntu 24.04 I had to loosen some AppArmor protections by creating a file:

  > cat /etc/apparmor.d/bwrap 
  #include <tunables/global>                                                       
                                                                                  
  /usr/bin/bwrap flags=(unconfined) {                                              
    userns,                                                                        
  }
replies(1): >>amluto+3e
2. amluto+3e[view] [source] 2026-02-04 00:49:05
>>waerhe+(OP)
I despise AppArmor and SELinux, especially in cases where they actively get in the way of security like this.

But you shouldn't need to make a global change. Do this:

    if [[ -f /proc/$$/attr/exec ]]; then
        # AppArmor is active.  Request "unconfined" for our next exec.
        echo 'exec unconfined' 2>/dev/null >/proc/$$/attr/exec
    fi
    exec ...
Or I think you can do this:

    $ setpriv --apparmor-profile=unconfined [command]
(You'd think I'd be more sure of the exact circumstances under which the latter works given that I literally wrote setpriv... At the very least, it will error out if apparmor is not running, which is mildly obnoxious.)
[go to top]