Another point to mention is the handling of UBUNTU_CORE_LAUNCHER_NO_ROOT in two places. The following should help with the logic there and impact on racing the env with the suid launcher:
UBUNTU_CORE_LAUNCHER_NO_ROOT unset in both (root): disable nnp then raise to load_seccomp (correct)
UBUNTU_CORE_LAUNCHER_NO_ROOT set in both (non-root): nnp stays then no raise to load_seccomp (correct)
UBUNTU_CORE_LAUNCHER_NO_ROOT unset first (root) and set second (non-root): disable nnp then load_seccomp fails closed
UBUNTU_CORE_LAUNCHER_NO_ROOT set first (non-root) and unset second (root): nnp stays then load_seccomp. This is more strict than the intended behavior and will trigger and apparmor denial
Another point to mention is the handling of UBUNTU_ CORE_LAUNCHER_ NO_ROOT in two places. The following should help with the logic there and impact on racing the env with the suid launcher:
UBUNTU_ CORE_LAUNCHER_ NO_ROOT unset in both (root): disable nnp then raise to load_seccomp (correct) CORE_LAUNCHER_ NO_ROOT set in both (non-root): nnp stays then no raise to load_seccomp (correct) CORE_LAUNCHER_ NO_ROOT unset first (root) and set second (non-root): disable nnp then load_seccomp fails closed CORE_LAUNCHER_ NO_ROOT set first (non-root) and unset second (root): nnp stays then load_seccomp. This is more strict than the intended behavior and will trigger and apparmor denial
UBUNTU_
UBUNTU_
UBUNTU_