Skip to content

workaround for ubuntu 25

Protium_serratumrequested to merge
Protium_serratum/oniux:ubuntu-25 into main

On ubuntu, use ./oniux --join-user-ns path/to/user/namespace <CMD>... instead of ./oniux <CMD>... .

(host)$ podman unshare
(namespace)$ ls -l /proc/self/ns/user
lrwxrwxrwx 1 root root 0 Jun 16 10:00 /proc/self/ns/user -> 'user:[4000000001]'
(namespace)$ exit
(host)$ lsns --type user|grep 4000000001
4000000001 user       1  3000 haha catatonit -P
(host)$ ./oniux --join-user-ns /proc/3000/ns/user sh

User namespaces created by other confined processes (e.g. /usr/bin/pasta) seem usable too.
/etc/apparmor.d/unprivileged_userns :

# Special profile transitioned to by unconfined when creating an unprivileged
# user namespace.
#
abi <abi/4.0>,
include <tunables/global>

profile unprivileged_userns {
     audit deny capability,
     audit deny change_profile,

     # allow block to be replaced by allow when x dominance test is fixed
     #allow all,
     allow network,
     allow signal,
     allow dbus,
     allow file rwlkm /**,
     allow unix,
     allow mqueue,
     allow ptrace,
     allow userns,

     # stack children to strip capabilities
     allow pix /** -> &unprivileged_userns ,

     # Site-specific additions and overrides. See local/README for details.
     include if exists <local/unprivileged_userns>
}
Edited by Protium_serratum

Merge request reports