[apparmor] What to do about bubblewrap started from apps confined with AppArmor?

Simon McVittie smcv at collabora.com
Wed Sep 20 12:29:12 UTC 2017

On Wed, 20 Sep 2017 at 13:15:20 +0200, intrigeri wrote:
> bubblewrap sets up Linux namespaces and other stuff that makes it
> essentially need full admin access, which is kinda by design for this
> kind of sandboxing wrappers (not sure if userns would change anything
> to that, anyway that's off-topic right now).

Unprivileged userns (as seen on recent Ubuntu, and on Debian if you adjust
/proc/sys/kernel/unprivileged_userns_clone) avoids bwrap needing to be
setuid root in the init namespace (before it creates new namespaces).
It still needs to exercise capabilities in its newly-created namespace
either way.

> To give you a better idea,here's a named profile suitable for:
>   /usr/bin/bwrap Cx -> bwrap,
> … that's enough to get rid of all bwrap-related AppArmor errors in my
> logs when using Totem

I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so
I would expect it to want to execute the wrapped thumbnailer?


More information about the AppArmor mailing list