Alex Murray

Or use semantic to do the parsing if it is available / enabled already?

With the upcoming plan to restrict unprivileged userns in Ubuntu 23.10, lxd may need to grow some additional support around its handling of unprivileged user namespaces - see https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 for...

Interestingly, `unshare` is not running under any apparmor confinement when it is spawned ``` [84241.526723] audit: type=1400 audit(1693372708.093:6239): apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=413939 comm="unshare" requested="userns_create"...

cc @jrjohansen - I assume you agree that it isn't feasible to have a generic profile for `unshare` as above? It would make a lot of things easier (and reduce...

> @alexmurray so are you saying that going forward all calls to `unshare -U` need to be wrapped in their own apparmor profile? We have 2 options - 1. we...

> what is `unprivileged unconfined`? I am not too familiar with apparmor? `unconfined` is the label apparmor gives to anything that doesn't have an explicit apparmor profile. `unprivileged unconfined` then...

Rebased this onto current latest-edge and squashed the two commits into one.

Hi folks, the snapd support for this feature landed in the 2.62 release of snapd - any chance you could merge this into the lxd snap? cc @tomponline @simondeziel

The `assumes: snapd2.62` means it can not be installed on a system without snapd 2.62 - so there is no risk here.

snapd 2.62 just migrated into the updates pocket for all the stable releases of Ubuntu and has been in the snapd snap stable channel for a while now too. So...