The standard assumption up to now has been that applications that don't have a specific apparmor profile run in the "unconfined" profile, which essentially doesn't forbid anything. However, in 24.04, everything using unprivileged namespaces automatically ends up in the "unprivileged_userns" profile, which does add rules. Disabling this profile doesn't work, because that seems to block use of unprivileged namespaces completely.
What does work is to create a specifc apparmor profile for guix, that is really unconfined and allows user namespaces:
Create a file /etc/apparmor.d/guix:
abi <abi/4.0>,
include <tunables/global>
profile guix /usr/bin/guix flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/guix>
}
(you might have to specify a different path instead of /usr/bin/guix when the binary is somewhere else, e.g. sometimes it's something like /gnu/store/c9a2snygcp9iywbncwky5jcjp29x3hsw-guix-command where the chain of symlinks points)
Then do:
/etc/init.d/apparmor reload
See:
- https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115 Conflict between apparmor and guix on Ubuntu 24.04
- https://bugs.launchpad.net/apparmor/+bug/2046844 AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Removed the mention of
aa-enforce. It appears that this only updates the configuration file, and not always in the right way, and shouldn't be needed when having updated the configuration correctly manually.