From d90e4cf52990c8a784cd7438f7efd84628cc9724 Mon Sep 17 00:00:00 2001
From: shenmo <jifengshenmo@outlook.com>
Date: Thu, 20 Jun 2024 22:31:58 +0800
Subject: [PATCH] fix-apparmor

---
 src/DEBIAN/postinst                  | 8 ++++++--
 src/etc/apparmor.d/amber-ce-bookworm | 7 -------
 src/usr/lib/sysctl.d/amber-ce.conf   | 6 ++++++
 3 files changed, 12 insertions(+), 9 deletions(-)
 delete mode 100644 src/etc/apparmor.d/amber-ce-bookworm
 create mode 100644 src/usr/lib/sysctl.d/amber-ce.conf

diff --git a/src/DEBIAN/postinst b/src/DEBIAN/postinst
index b79ff81..c312530 100755
--- a/src/DEBIAN/postinst
+++ b/src/DEBIAN/postinst
@@ -17,8 +17,12 @@ if [ "${PACKAGE_NAME}" = "cn.flamescion.bookworm-compatibility-mode" ];then
 systemctl daemon-reload
 systemctl enable ace-bookworm-auto-upgrade
 systemctl start ace-bookworm-auto-upgrade
+        # enable kernel.unprivileged_userns_clone
+        # disable kernel.apparmor_restrict_unprivileged_unconfined and kernel.apparmor_restrict_unprivileged_userns
+        if [ -f /usr/lib/sysctl.d/amber-ce.conf ];then
+                sysctl -p /usr/lib/sysctl.d/amber-ce.conf
+        fi
+
 fi
 
-systemctl reload apparmor
-
 true
diff --git a/src/etc/apparmor.d/amber-ce-bookworm b/src/etc/apparmor.d/amber-ce-bookworm
deleted file mode 100644
index 5555573..0000000
--- a/src/etc/apparmor.d/amber-ce-bookworm
+++ /dev/null
@@ -1,7 +0,0 @@
-abi <abi/4.0>,
-include <tunables/global>
-profile bwrap /usr/bin/bwrap flags=(unconfined) {
-userns,
-#Site-specific additions and overrides. See local/README for details.
-include if exists <local/bwrap>
-}
diff --git a/src/usr/lib/sysctl.d/amber-ce.conf b/src/usr/lib/sysctl.d/amber-ce.conf
new file mode 100644
index 0000000..10177b4
--- /dev/null
+++ b/src/usr/lib/sysctl.d/amber-ce.conf
@@ -0,0 +1,6 @@
+# ACE app runs in a container, need privileges within user namespace, so we need to set it
+kernel.unprivileged_userns_clone=1
+# Ubuntu 24.04 has more limitation on unprivileged user namespace,so we have to disable them.
+# refer to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+kernel.apparmor_restrict_unprivileged_unconfined=0
+kernel.apparmor_restrict_unprivileged_userns=0