Uma pergunta meio sobreposta aqui . Estou tentando desabilitar o AppArmor em todo o sistema. Depois de fazer isso:
sudo systemctl stop apparmor
sudo systemctl disable apparmor
E reiniciando, eu tenho:
❯❯ sudo aa-status | egrep '^[0-9]'
48 profiles are loaded.
41 profiles are in enforce mode.
7 profiles are in complain mode.
0 profiles are in prompt mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
17 processes have profiles defined.
17 processes are in enforce mode.
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
❯❯ sudo aa-enabled
Yes
❯❯ sudo systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; disabled; preset: enabled)
Active: inactive (dead)
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Se eu fizer algo que viole a política (no meu caso, criar um namespace de usuário), recebo algo como isto no meu log do kernel, o que parece confirmar que o AppArmor está em vigor:
[ 942.570952] audit: type=1400 audit(1735492407.323:89): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=6227 comm="python" requested="userns_create" denied="userns_create" target="unprivileged_userns"