diff mbox series

[mantic] UBUNTU: SAUCE: (no-up) apparmor: disable 1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged change_profile

Message ID 57ecb1e6-b0b5-e2f7-e4de-3e8337784316@canonical.com
State New
Headers show
Series [mantic] UBUNTU: SAUCE: (no-up) apparmor: disable 1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged change_profile | expand

Commit Message

John Johansen Oct. 6, 2023, 6:36 p.m. UTC

Comments

Tim Gardner Oct. 6, 2023, 6:52 p.m. UTC | #1
On 10/6/23 12:36 PM, John Johansen wrote:
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Andrea Righi Oct. 6, 2023, 7:12 p.m. UTC | #2
Applied to mantic/linux with the commit message from Dimitri and
adjusting the subject to:

  UBUNTU: SAUCE: apparmor: Make apparmor_restrict_unprivileged_unconfined opt-in

Thanks,
-Andrea

> From fc2b365fad9b25cf71f0d845132d90f3c1452115 Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen@canonical.com>
> Date: Fri, 6 Oct 2023 11:27:11 -0700
> Subject: [PATCH] UBUNTU: SAUCE: (no-up) apparmor: disable 1ea37b26d720 UBUNTU:
>  SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged
>  change_profile
> 
> This patch is not fixes the sauce patch that is not upstream
>   1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged change_profile
> 
> This disables by default the confinement escape mitigation in
>   1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged change_profile
> 
> as it is breaking lxd, and should remained disabled until this can be fixed.
> If a user wants they can be re-enabled by the user by setting
>   sudo bash -c "echo 1 > /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined"
> 
> BugLink: http://bugs.launchpad.net/bugs/2038567
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> ---
>  security/apparmor/policy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
> index 98425616806b..2e58bc573278 100644
> --- a/security/apparmor/policy.c
> +++ b/security/apparmor/policy.c
> @@ -91,7 +91,7 @@ int unprivileged_userns_apparmor_policy = 1;
>  int unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
>  int unprivileged_userns_restricted_force;
>  int unprivileged_userns_restricted_complain;
> -int aa_unprivileged_unconfined_restricted = 1;
> +int aa_unprivileged_unconfined_restricted = 0;
>  int aa_unprivileged_uring_restricted;
>  
>  const char *const aa_profile_mode_names[] = {
> -- 
> 2.34.1
> 

> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff mbox series

Patch

From fc2b365fad9b25cf71f0d845132d90f3c1452115 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 6 Oct 2023 11:27:11 -0700
Subject: [PATCH] UBUNTU: SAUCE: (no-up) apparmor: disable 1ea37b26d720 UBUNTU:
 SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged
 change_profile

This patch is not fixes the sauce patch that is not upstream
  1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged change_profile

This disables by default the confinement escape mitigation in
  1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged change_profile

as it is breaking lxd, and should remained disabled until this can be fixed.
If a user wants they can be re-enabled by the user by setting
  sudo bash -c "echo 1 > /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined"

BugLink: http://bugs.launchpad.net/bugs/2038567
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 98425616806b..2e58bc573278 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -91,7 +91,7 @@  int unprivileged_userns_apparmor_policy = 1;
 int unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
 int unprivileged_userns_restricted_force;
 int unprivileged_userns_restricted_complain;
-int aa_unprivileged_unconfined_restricted = 1;
+int aa_unprivileged_unconfined_restricted = 0;
 int aa_unprivileged_uring_restricted;
 
 const char *const aa_profile_mode_names[] = {
-- 
2.34.1