profiles: update bwrap profile

Update the bwrap profile so that it will attach to application profiles
if present.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 1979af7710)
Signed-off-by: John Johansen <john.johansen@canonical.com>

profiles/apparmor/profiles/extras/bwrap-userns-restrict

@@ -1,17 +1,12 @@
-# This profile allows almost everything and only exists to allow
+# This profile allows almost everything and only exists to allow bwrap
-# bwrap to work on a system with user namespace restrictions
+# to work on a system with user namespace restrictions being enforced.
-# being enforced.
+# bwrap is allowed access to user namespaces and capabilities within
-# bwrap is allowed access to user namespaces and capabilities
+# the user namespace, but its children do not have capabilities,
-# within the user namespace, but its children do not have
+# blocking bwrap from being able to be used to arbitrarily by-pass the
-# capabilities, blocking bwrap from being able to be used to
+# user namespace restrictions.
-# arbitrarily by-pass the user namespace restrictions.
-#
-# Note: the bwrap child is stacked against the bwrap profile due to
-# bwraps use of no-new-privs
 
-# disabled by default as it can break some use cases on a system that
+# Note: the bwrap child is stacked against the bwrap profile due to
-# doesn't have or has disable user namespace restrictions for unconfined
+# bwraps use of no-new-privs.
-# use aa-enforce to enable it
 
 abi <abi/4.0>,
 
@@ -19,9 +14,11 @@ include <tunables/global>
 
 profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
   allow capability,
-  # not allow all, to allow for pix stack
+  # not allow all, to allow for pix stack on systems that don't support
-  # sadly we have to allow  m every where to allow children to work under
+  # rule priority.
-  # stacking.
+  #
+  # sadly we have to allow 'm' every where to allow children to work under
+  # profile stacking atm.
   allow file rwlkm /{**,},
   allow network,
   allow unix,
@@ -34,7 +31,23 @@ profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
   allow umount,
   allow pivot_root,
   allow dbus,
-  allow px /** -> bwrap//&unpriv_bwrap,
+
+  # stacked like this due to no-new-privs restriction
+  # this will stack a target profile against bwrap and unpriv_bwrap
+  # Ideally
+  # - there would be a transition at userns creation first. This would allow
+  #   for the bwrap profile to be tighter, and looser within the user
+  #   ns. bwrap will still have to fairly loose until a transition at
+  #   namespacing in general (not just user ns) is available.
+  # - there would be an independent second target as fallback
+  #   This would allow for select target profiles to be used, and not
+  #   necessarily stack the unpriv_bwrap in cases where this is desired
+  #
+  # the ix works here because stack will apply to ix fallback
+  # Ideally we would sanitize the environment across a privilege boundry
+  # (leaving bwarp into application) but flatpak etc use environment glibc
+  # sanitized environment variables as part of the sandbox setup.
+  allow pix /** -> &bwrap//&unpriv_bwrap,
 
   # the local include should not be used without understanding the userns
   # restriction.
@@ -42,6 +55,7 @@ profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
   include if exists <local/bwrap-userns-restrict>
 }
 
+# The unpriv_bwrap profile is used to strip capabilities within the userns
 profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) {
   # not allow all, to allow for pix stack
   allow file rwlkm /{**,},
@@ -57,6 +71,9 @@ profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) {
   allow pivot_root,
   allow dbus,
 
+  # bwrap profile does stacking against itself this will keep the target
+  # profile from having elevated privileges in the container.
+  # If done recursively the stack will remove any duplicate
   allow pix /** -> &unpriv_bwrap,
 
   audit deny capability,