Commit fa9b63ad authored by John Johansen's avatar John Johansen
Browse files

apparmor: add user namespace creation mediation 



Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.

This allows an admin to quickly lock down a system while also still
allowing legitimate use.

Reviewed-by: default avatarGeorgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 2d9da9b1

security/apparmor/apparmorfs.c

+1 −0
Original line number Diff line number Diff line
@@ -2375,6 +2375,7 @@ static struct aa_sfs_entry aa_sfs_entry_mount[] = { 
static struct aa_sfs_entry aa_sfs_entry_ns[] = {

	AA_SFS_FILE_BOOLEAN("profile",		1),

	AA_SFS_FILE_BOOLEAN("pivot_root",	0),

	AA_SFS_FILE_STRING("mask", "userns_create"),

	{ }

};

security/apparmor/audit.c

+1 −1
Original line number Diff line number Diff line
@@ -58,7 +58,7 @@ static const char *const aa_class_names[] = { 
	"io_uring",

	"module",

	"lsm",

	"unknown",

	"namespace",

	"unknown",

	"unknown",

	"unknown",

security/apparmor/include/apparmor.h

+1 −0
Original line number Diff line number Diff line
@@ -33,6 +33,7 @@ 
#define AA_CLASS_IO_URING	18

#define AA_CLASS_MODULE		19

#define AA_CLASS_DISPLAY_LSM	20

#define AA_CLASS_NS		21



#define AA_CLASS_X		31

#define AA_CLASS_DBUS		32

security/apparmor/include/audit.h

+1 −0
Original line number Diff line number Diff line
@@ -103,6 +103,7 @@ enum audit_type { 
#define OP_PROF_LOAD "profile_load"

#define OP_PROF_RM "profile_remove"



#define OP_USERNS_CREATE "userns_create"



struct apparmor_audit_data {

	int error;

security/apparmor/include/task.h

+6 −0
Original line number Diff line number Diff line
@@ -96,4 +96,10 @@ int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer, 
		  u32 request);







#define AA_USERNS_CREATE	8



int aa_profile_ns_perm(struct aa_profile *profile,

		       struct apparmor_audit_data *ad, u32 request);



#endif /* __AA_TASK_H */