From c299dd0d960a617bc6a949648ffc6901f3339965 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 3 Apr 2024 21:38:43 -0700
Subject: [PATCH] profiles: Add profile for unshare utility

This adds an unshare profile to allow it to function on a system
with user namespace restrictions enabled.

The child task of unshare will enter into a profile without capabilities
thus preventing unshare from being able to arbitrarily being used to
by-pass the user namespace restriction.

This profile does prevent applications launch with privilege (eg.
sudo unshare ...) from functioning so it may break some use cases.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 profiles/apparmor.d/unshare-userns-restrict | 29 +++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 profiles/apparmor.d/unshare-userns-restrict

diff --git a/profiles/apparmor.d/unshare-userns-restrict b/profiles/apparmor.d/unshare-userns-restrict
new file mode 100644
index 000000000..217cb0ebb
--- /dev/null
+++ b/profiles/apparmor.d/unshare-userns-restrict
@@ -0,0 +1,29 @@
+# This profile allows almost everything and only exists to allow
+# unshare to work on a system with user namespace restrictions
+# being enforced.
+# unshare is allowed access to user namespaces and capabilities
+# within the user namespace, but its children do not have
+# capabilities, blocking unshare from being able to be used to
+# arbitrarily by-pass the user namespace restrictions.
+
+profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+    allow capability,
+    allow file rwlkm /{**,},
+    allow network,
+    allow unix,
+    allow ptrace,
+    allow signal,
+    allow mqueue,
+    allow io_uring,
+    allow userns,
+    allow mount,
+    allow umount,
+    allow pivot_root,
+    allow dbus,
+    audit allow cx /** -> unpriv_unshare,
+
+    profile unpriv_unshare flags=(attach_disconnected) {
+        allow all,
+	deny capability,
+    }
+}