Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Nice approach! On Ubuntu 24.04 I had to loosen some AppArmor protections by creating a file:

  > cat /etc/apparmor.d/bwrap 
  #include <tunables/global>                                                       
                                                                                  
  /usr/bin/bwrap flags=(unconfined) {                                              
    userns,                                                                        
  }




I despise AppArmor and SELinux, especially in cases where they actively get in the way of security like this.

But you shouldn't need to make a global change. Do this:

    if [[ -f /proc/$$/attr/exec ]]; then
        # AppArmor is active.  Request "unconfined" for our next exec.
        echo 'exec unconfined' 2>/dev/null >/proc/$$/attr/exec
    fi
    exec ...
Or I think you can do this:

    $ setpriv --apparmor-profile=unconfined [command]
(You'd think I'd be more sure of the exact circumstances under which the latter works given that I literally wrote setpriv... At the very least, it will error out if apparmor is not running, which is mildly obnoxious.)

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: