Comment by waerhert

3 hours ago

Nice approach! On Ubuntu 24.04 I had to loosen some AppArmor protections by creating a file:

  > cat /etc/apparmor.d/bwrap 
  #include <tunables/global>                                                       
                                                                                  
  /usr/bin/bwrap flags=(unconfined) {                                              
    userns,                                                                        
  }

1 comment

waerhert

amluto 2 hours ago

I despise AppArmor and SELinux, especially in cases where they actively get in the way of security like this.

But you shouldn't need to make a global change. Do this:

    if [[ -f /proc/$$/attr/exec ]]; then
        # AppArmor is active.  Request "unconfined" for our next exec.
        echo 'exec unconfined' 2>/dev/null >/proc/$$/attr/exec
    fi
    exec ...

Or I think you can do this:

    $ setpriv --apparmor-profile=unconfined [command]

(You'd think I'd be more sure of the exact circumstances under which the latter works given that I literally wrote setpriv... At the very least, it will error out if apparmor is not running, which is mildly obnoxious.)