Revert "templates/20.04/unconfined: Transition child processes to unconfined" (!33) · Merge requests · UBports / Development / Core / apparmor-easyprof-ubuntu

Ratchanan Srirattanamet requested to merge personal/peat-psuwit/revert-actuallyconfined into main Jan 15, 2024

Turns out, this breaks applications that use "unconfined" profile and QtWebEngine or Morph.Web. Chromium code will set the "no new privs" flag prior to exec'ing the helper process (in our case, QtWebEngine Process) to help reducing attack surface. Unfortunately, this means that the transition to "be actually unconfined" is now denied.

Sadly there seems to be no good way to work around this, so revert it back to how it was before. The upshot is that the transition to 24.04 will bring the userspace version 4.0.0-alpha2, which should include the necessary syntax for "actually unconfined" as intended.

This reverts commit 6f55664b.

[1] https://docs.kernel.org/userspace-api/no_new_privs.html

Fixes: #18 (closed)

Edited Jan 15, 2024 by Ratchanan Srirattanamet

Revert "templates/20.04/unconfined: Transition child processes to unconfined"

Merge request reports