I migrated the majority of my workloads from Ubuntu 22.04 to Debian 12. It was mostly due to snap packages, netplan, and other tooling that didn’t feel essential. I want my OS to mostly get out of my way and I feel Debian achieves that.
If I understand things correctly, systemd can do most, if not all, of what’s being described here without AppArmor. So this feature isn’t enough for me to consider coming back to Ubuntu.
The feature is to restrict use of user namespace restrictions to applications with AppArmor configuration ... that only Ubuntu controls?
This is ideal for containers, but containers are not mentioned among the default apps... because it's a desktop distribution?
I'm struggling to understand how Ubuntu expects this to be adopted in open-source application. Does everyone beg Ubuntu for AppArmor configuration? Does it get installed via enhanced apt bundles?
Is there no way for a system administrator to enable this and retrofit apps?
One can imagine the support emails and bugs if this is enabled. hmm.
Anyone can create an AppArmor profile for the systems they use or packages they maintain. There's a package called `aa-utils` that includes a few utilities to create and refine profiles similar to SELinux's `audit2allow` tool. It is not feature complete IMO though, be warned.
> I'm struggling to understand how Ubuntu expects this to be adopted in open-source application.
Sys admins, maintainers and packagers will have to add in a new conf file to /etc/apparmor.d/ for each app that needs to call `clone()` or `unshare()` which isn't very common IMO.
> Is there no way for a system administrator to enable this and retrofit apps?
You can write a <10 line profile for any app to exclude it from the unprivileged user name space restriction. It's there in the blog [1].
If I understand things correctly, systemd can do most, if not all, of what’s being described here without AppArmor. So this feature isn’t enough for me to consider coming back to Ubuntu.