From patchwork Wed Oct 25 12:31:30 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Johansen <john.johansen@canonical.com>
X-Patchwork-Id: 1855045
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SFpHM210Nz23jh
	for <incoming@patchwork.ozlabs.org>; Wed, 25 Oct 2023 23:33:03 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qvd46-0005Sl-3X; Wed, 25 Oct 2023 12:32:50 +0000
Received: from smtp-relay-canonical-0.internal ([10.131.114.83]
 helo=smtp-relay-canonical-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <john.johansen@canonical.com>)
 id 1qvd3A-00059x-K4
 for kernel-team@lists.ubuntu.com; Wed, 25 Oct 2023 12:31:55 +0000
Received: from canonical.com (unknown [50.39.103.33])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest
 SHA256) (No client certificate requested)
 by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 1355F3F6C1
 for <kernel-team@lists.ubuntu.com>; Wed, 25 Oct 2023 12:31:49 +0000 (UTC)
From: John Johansen <john.johansen@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 4/4] UBUNTU: SAUCE: apparmor: open userns related sysctl so
 lxc can check if restriction are in place
Date: Wed, 25 Oct 2023 05:31:30 -0700
Message-Id: <20231025123130.2751944-5-john.johansen@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231025123130.2751944-1-john.johansen@canonical.com>
References: <20231025123130.2751944-1-john.johansen@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: http://bugs.launchpad.net/bugs/2040194
https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like

  unshare true

to test if the restrictions are being enforced.

Ideally access to this information would be restricted so that any
unknown access would be logged, but lxc/d currently aren't ready for
this so in order to _not_ force lxc/d to probe whether enforcement is
enabled, open up read access to the sysctls for unprivileged user
namespace mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/lsm.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 205cd79fb625..a1ea0321ec38 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2397,6 +2397,17 @@ static int apparmor_dointvec(struct ctl_table *table, int write,
 	return proc_dointvec(table, write, buffer, lenp, ppos);
 }
 
+static int userns_restrict_dointvec(struct ctl_table *table, int write,
+				    void *buffer, size_t *lenp, loff_t *ppos)
+{
+	if (!apparmor_enabled)
+		return -EINVAL;
+	if (write && !aa_current_policy_admin_capable(NULL))
+		return -EPERM;
+
+	return proc_dointvec(table, write, buffer, lenp, ppos);
+}
+
 static struct ctl_table apparmor_sysctl_table[] = {
 #ifdef CONFIG_USER_NS
 	{
@@ -2419,8 +2430,8 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.procname       = "apparmor_restrict_unprivileged_userns",
 		.data           = &unprivileged_userns_restricted,
 		.maxlen         = sizeof(int),
-		.mode           = 0600,
-		.proc_handler   = apparmor_dointvec,
+		.mode           = 0644,
+		.proc_handler   = userns_restrict_dointvec,
 	},
 	{
 		.procname       = "apparmor_restrict_unprivileged_userns_force",
@@ -2441,8 +2452,8 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.procname       = "apparmor_restrict_unprivileged_unconfined",
 		.data           = &aa_unprivileged_unconfined_restricted,
 		.maxlen         = sizeof(int),
-		.mode           = 0600,
-		.proc_handler   = apparmor_dointvec,
+		.mode           = 0644,
+		.proc_handler   = userns_restrict_dointvec,
 	},
 	{
 		.procname       = "apparmor_restrict_unprivileged_io_uring",