Anyone can create an AppArmor profile for the systems they use or packages they maintain. There's a package called `aa-utils` that includes a few utilities to create and refine profiles similar to SELinux's `audit2allow` tool. It is not feature complete IMO though, be warned.
> I'm struggling to understand how Ubuntu expects this to be adopted in open-source application.
Sys admins, maintainers and packagers will have to add in a new conf file to /etc/apparmor.d/ for each app that needs to call `clone()` or `unshare()` which isn't very common IMO.
> Is there no way for a system administrator to enable this and retrofit apps?
You can write a <10 line profile for any app to exclude it from the unprivileged user name space restriction. It's there in the blog [1].
Anyone can create an AppArmor profile for the systems they use or packages they maintain. There's a package called `aa-utils` that includes a few utilities to create and refine profiles similar to SELinux's `audit2allow` tool. It is not feature complete IMO though, be warned.
> I'm struggling to understand how Ubuntu expects this to be adopted in open-source application.
Sys admins, maintainers and packagers will have to add in a new conf file to /etc/apparmor.d/ for each app that needs to call `clone()` or `unshare()` which isn't very common IMO.
> Is there no way for a system administrator to enable this and retrofit apps?
You can write a <10 line profile for any app to exclude it from the unprivileged user name space restriction. It's there in the blog [1].
[1] https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged...