mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-14 13:15:35 -04:00
521e7e6a37
It turns out that it is impossible for to get ptrace capabilities for child user namespaces in the current kernel if the user namespace is created as root, which is what happens when bwrap is setuid root (see https://github.com/flatpak/flatpak/issues/557 for details). This is very problematic, as ptrace rights controls access to /proc/$pid/root which is what we base the detection of peer app id and rights on for portals. For now, we disable user namespaces (except for the case of unprivileged user namespaces, where it is necessary and works).