add special unprivileged_userns profile

Unprivileged user namespace creation is allowed an will result in a transition into the unprivileged_userns profile. The unprivileged_userns profile with then deny all capabilities within the profile. Execution of applications is allowed within the unprivileged_userns profile but, they will result in a stack with the unprivileged_userns profile, that is to say the unprivileged_userns profile can not be dropped (capabilities can not be gained). If the unprivileged_userns profile does not exist, unprivileged user namespace creation is denied as before. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-08-31 14:25:52 +00:00 · 2024-02-02 10:52:26 -03:00
parent 6add80d83f
commit 789cda2f08
1 changed files with 27 additions and 0 deletions
--- a/profiles/apparmor.d/unprivileged_userns
+++ b/profiles/apparmor.d/unprivileged_userns
@@ -0,0 +1,27 @@
+# Special profile transitioned to by unconfined when creating an unprivileged
+# user namespace.
+#
+abi <abi/4.0>,
+include <tunables/global>
+
+profile unprivileged_userns {
+     audit deny capability,
+     audit deny change_profile,
+
+     # allow block to be replaced by allow when x dominance test is fixed
+     #allow all,
+     allow network,
+     allow signal,
+     allow dbus,
+     allow file rwlkm /**,
+     allow unix,
+     allow mqueue,
+     allow ptrace,
+     allow userns,
+
+     # stack children to strip capabilities
+     allow pix /** -> &unprivileged_userns ,
+
+     # Site-specific additions and overrides. See local/README for details.
+     include if exists <local/unprivileged_userns>
+}