[apparmor] Restricted userns

John Johansen john.johansen at canonical.com
Thu Oct 31 14:54:04 UTC 2024 

On 10/31/24 06:59, valoq wrote:
> Ubuntu added a patch last year to allow user namespaces only for processes
> confined by apparmor and allegedly the kernel patch for this feature made
> it into the upstream kernel as well, but there seems to be no documentation
> available about it. Additionaly, apparmor now includes default profiles
> with the userns permission making use of this feature, but there is no
> documentation about the requirements of this feature.
> 
As implemented in Ubuntu, there are three parts.
1. for an application to use user namespaces the application must be confined
    by a profile, that explicitly allows the use of user namespaces.
2. when enabled, unconfined is not allowed to use unprivileged user namespaces.
3. apparmor enables a policy var via sysctl on boot. It was done this way for
    two reasons.
    a. So that new kernels could be taken back to old releases and not break
       them with the feature being turned on by default in the kernel.
    b. So that the feature could be turned on, on older releases without
       having to have an updated apparmor userspace to enable the feature
       in policy.

> How can this feature actually be used on other linux distributions and
> vanilla linux kernels? It seems like
> kernel.apparmor_restrict_unprivileged_userns is not available outside of
> ubuntu and most similar flags appear undocumented as well.
> Is support for restricted userns actually available outside of ubuntu?
> 

Currently it is not.

The ability to mediate userns creation in profiles landed in 6.7.

The 2 and 3rd parts have not landed upstream yet. This is largely because
the Ubuntu patches hard code the behavior where for upstream we want the
behavior to be properly part of policy.

There is a patch to extend the current mediation that is a requirement
for parts 2/3 that I will try to post out this week. The other parts
I still need to evaluate. But I don't think landing full support for
is possible for 6.13. So I am currently planning to try and land full
support in 6.14.

More information about the AppArmor mailing list