2023-08-07 05:19:55 |
Alex Murray |
bug |
|
|
added bug |
2023-08-16 06:13:46 |
Alex Murray |
description |
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, the apparmor binary package should provide a file named /usr/lib/sysctl.d/10-apparmor.conf that contains the following contents:
# AppArmor restrictions of unprivileged user namespaces
# Restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor
# or not) will be denied the use of unprivileged user namespaces.
#
# See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
#
# If it is desired to disable this restriction, it is preferable to
# set this via the associated /etc/sysctl.d/20-apparmor.conf file
kernel.apparmor_restrict_unprivileged_userns = 1
Similarly, the apparmor binary package should also ship a ‘disablement’ file /etc/sysctl.d/20-apparmor.conf which contains just the comment explaining what this feature is and why it is enabled by default, along with a commented out line that disables the feature:
# AppArmor restrictions of unprivileged user namespaces
# Restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor
# or not) will be denied the use of unprivileged user namespaces.
#
# See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
#
# This is enabled by default in /usr/lib/sysctl.d/10-apparmor.conf
# to disable simply uncomment the following line:
#kernel.apparmor_restrict_unprivileged_userns = 0
This (commented-out) setting will then be applied after the file /usr/lib/sysctl.d/10-apparmor.conf (as sysctl sorts files by lexicographical order) and hence an uncommented value in this file will take precedence to the default, allowing it to be disabled and retained across package upgrades as a conffile (https://manpages.debian.org/testing/dpkg-dev/deb-conffiles.5.en.html) |
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, the apparmor binary package should provide a file named /usr/lib/sysctl.d/10-apparmor.conf that contains the following contents:
# AppArmor restrictions of unprivileged user namespaces
# Restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor
# or not) will be denied the use of unprivileged user namespaces.
#
# See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
#
# If it is desired to disable this restriction, it is preferable to
# create an additional file named /etc/sysctl.d/20-apparmor.conf
# which will override this current file and sets this value to 0
# rather than editing this current file
kernel.apparmor_restrict_unprivileged_userns = 1 |
|
2023-08-16 06:56:36 |
Alex Murray |
summary |
Enable userns restrictions via sysctl.d files |
Add infrastructure to support enabling userns restrictions via sysctl.d files |
|
2023-08-16 06:58:03 |
Alex Murray |
description |
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, the apparmor binary package should provide a file named /usr/lib/sysctl.d/10-apparmor.conf that contains the following contents:
# AppArmor restrictions of unprivileged user namespaces
# Restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor
# or not) will be denied the use of unprivileged user namespaces.
#
# See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
#
# If it is desired to disable this restriction, it is preferable to
# create an additional file named /etc/sysctl.d/20-apparmor.conf
# which will override this current file and sets this value to 0
# rather than editing this current file
kernel.apparmor_restrict_unprivileged_userns = 1 |
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, the apparmor binary package should provide a file named /usr/lib/sysctl.d/10-apparmor.conf that contains the following contents:
# AppArmor restrictions of unprivileged user namespaces
# Restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor
# or not) will be denied the use of unprivileged user namespaces.
#
# See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
#
# If it is desired to disable this restriction, it is preferable to
# create an additional file named /etc/sysctl.d/20-apparmor.conf
# which will override this current file and sets this value to 0
# rather than editing this current file
kernel.apparmor_restrict_unprivileged_userns = 1
However, this would then cause existing applications which use unprivileged user namespaces in Ubuntu to fail - as such, this file will set the sysctl to 0 for now and will be updated in a future upload to enable it, along with a set of
apparmor profiles for the various applications in the Ubuntu archive which require the use of unprivileged user namespaces. |
|
2023-08-16 06:58:34 |
Alex Murray |
summary |
Add infrastructure to support enabling userns restrictions via sysctl.d files |
Add infrastructure to support enabling userns restrictions via sysctl.d file |
|
2023-08-16 07:01:02 |
Alex Murray |
description |
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, the apparmor binary package should provide a file named /usr/lib/sysctl.d/10-apparmor.conf that contains the following contents:
# AppArmor restrictions of unprivileged user namespaces
# Restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor
# or not) will be denied the use of unprivileged user namespaces.
#
# See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
#
# If it is desired to disable this restriction, it is preferable to
# create an additional file named /etc/sysctl.d/20-apparmor.conf
# which will override this current file and sets this value to 0
# rather than editing this current file
kernel.apparmor_restrict_unprivileged_userns = 1
However, this would then cause existing applications which use unprivileged user namespaces in Ubuntu to fail - as such, this file will set the sysctl to 0 for now and will be updated in a future upload to enable it, along with a set of
apparmor profiles for the various applications in the Ubuntu archive which require the use of unprivileged user namespaces. |
As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, the apparmor binary package should provide a file named /usr/lib/sysctl.d/10-apparmor.conf that contains the following contents:
# AppArmor restrictions of unprivileged user namespaces
# Restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor
# or not) will be denied the use of unprivileged user namespaces.
#
# See https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
#
# If it is desired to disable this restriction, it is preferable to
# create an additional file named /etc/sysctl.d/20-apparmor.conf
# which will override this current file and sets this value to 0
# rather than editing this current file
# THIS IS CURRENTLY DISABLED BUT WILL BE ENABLED IN A FUTURE UPLOAD
# AS DETAILED ABOVE
kernel.apparmor_restrict_unprivileged_userns = 0
If we enable this currently it would then cause existing applications which use unprivileged user namespaces in Ubuntu to fail - as such, this file will set the sysctl to 0 for now and will be updated in a future upload to enable it, along with a set of apparmor profiles for the various applications in the Ubuntu archive which require the use of unprivileged user namespaces. |
|
2023-08-18 10:00:17 |
Alex Murray |
apparmor (Ubuntu): status |
New |
In Progress |
|
2023-08-30 09:08:05 |
Launchpad Janitor |
apparmor (Ubuntu): status |
In Progress |
Fix Released |
|