Discussion around making nsjail a host dependency

[Alexander Koskovich]

Hello,

With Ubuntu 24.04 Canonical has made some AppArmor changes which breaks nsjail unless you create a profile for the nsjail binary (https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#security-improvements-14).

The problem with this is that the nsjail location is wherever you synced AOSP, so a profile can't really be made for it that can be upstreamed to AppArmor.

First idea is to just change build documentation to note that Ubuntu 24.04 onwards will require disabling the restriction.

Second idea is to make nsjail a package in Debian, that way it would have a static location in a non user modifiable location, that a policy could be created for and upstreamed.

I've noticed that a lot of build dependencies have been moved to prebuilts, so I'm not sure if moving nsjail out of tree is really something Google would want.

Thoughts?