ACK: [PATCH] UBUNTU: SAUCE: apparmor: Make apparmor_restrict_unprivileged_unconfined opt-in

[Dimitri John Ledkov]

From: John Johansen <john.johansen at canonical.com>

BugLink: http://bugs.launchpad.net/bugs/2038567

Existing applications with apparmor confinment have been discovered to
behave incorrectly with the newly added
apparmor_restrict_unprivileged_unconfined feature when enabled by
default with an opt-out. Make this feature opt-in, to unbreak existing
stable production software, most notable LXD.

This security feature can be enabled with:

     sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1

Signed-off-by: John Johansen <john.johansen at canonical.com>
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---

 Apply on top of Ubuntu-6.5.0-7.7 release for Mantic GA

 security/apparmor/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 9842561680..2e58bc5732 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -91,7 +91,7 @@ int unprivileged_userns_apparmor_policy = 1;
 int unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
 int unprivileged_userns_restricted_force;
 int unprivileged_userns_restricted_complain;
-int aa_unprivileged_unconfined_restricted = 1;
+int aa_unprivileged_unconfined_restricted = 0;
 int aa_unprivileged_uring_restricted;
 
 const char *const aa_profile_mode_names[] = {
-- 
2.34.1