Merge profiles: Add profile for unshare utility

This adds an unshare profile to allow it to function on a system with user namespace restrictions enabled. The child task of unshare will enter into a profile without capabilities thus preventing unshare from being able to be used to arbitrarily by-pass the user namespace restriction. This profile does prevent applications launch with privilege (eg. sudo unshare ...) from functioning so it may break some use cases. Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844 Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1204 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-30 13:58:22 +00:00 · 2024-04-04 05:42:33 +00:00
parent b6f2a3d9d2 c299dd0d96
commit 2d59dc3d9b
1 changed files with 29 additions and 0 deletions
--- a/profiles/apparmor.d/unshare-userns-restrict
+++ b/profiles/apparmor.d/unshare-userns-restrict
@@ -0,0 +1,29 @@
+# This profile allows almost everything and only exists to allow
+# unshare to work on a system with user namespace restrictions
+# being enforced.
+# unshare is allowed access to user namespaces and capabilities
+# within the user namespace, but its children do not have
+# capabilities, blocking unshare from being able to be used to
+# arbitrarily by-pass the user namespace restrictions.
+
+profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+    allow capability,
+    allow file rwlkm /{**,},
+    allow network,
+    allow unix,
+    allow ptrace,
+    allow signal,
+    allow mqueue,
+    allow io_uring,
+    allow userns,
+    allow mount,
+    allow umount,
+    allow pivot_root,
+    allow dbus,
+    audit allow cx /** -> unpriv_unshare,
+
+    profile unpriv_unshare flags=(attach_disconnected) {
+        allow all,
+	deny capability,
+    }
+}