fix-apparmor

src/DEBIAN/postinst

@@ -17,8 +17,12 @@ if [ "${PACKAGE_NAME}" = "cn.flamescion.bookworm-compatibility-mode" ];then
 systemctl daemon-reload
 systemctl enable ace-bookworm-auto-upgrade
 systemctl start ace-bookworm-auto-upgrade
+        # enable kernel.unprivileged_userns_clone
+        # disable kernel.apparmor_restrict_unprivileged_unconfined and kernel.apparmor_restrict_unprivileged_userns
+        if [ -f /usr/lib/sysctl.d/amber-ce.conf ];then
+                sysctl -p /usr/lib/sysctl.d/amber-ce.conf
+        fi
+
 fi
 
-systemctl reload apparmor
-
 true

src/etc/apparmor.d/amber-ce-bookworm

@@ -1,7 +0,0 @@
-abi <abi/4.0>,
-include <tunables/global>
-profile bwrap /usr/bin/bwrap flags=(unconfined) {
-userns,
-#Site-specific additions and overrides. See local/README for details.
-include if exists <local/bwrap>
-}

src/usr/lib/sysctl.d/amber-ce.conf

@@ -0,0 +1,6 @@
+# ACE app runs in a container, need privileges within user namespace, so we need to set it
+kernel.unprivileged_userns_clone=1
+# Ubuntu 24.04 has more limitation on unprivileged user namespace,so we have to disable them.
+# refer to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+kernel.apparmor_restrict_unprivileged_unconfined=0
+kernel.apparmor_restrict_unprivileged_userns=0