ACK: ACK: [PATCH] UBUNTU: SAUCE: apparmor: Make apparmor_restrict_unprivileged_unconfined opt-in

[Andrea Righi]

On Fri, Oct 06, 2023 at 07:49:53PM +0100, Dimitri John Ledkov wrote:
> From: John Johansen <john.johansen at canonical.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/2038567
> 
> Existing applications with apparmor confinment have been discovered to
> behave incorrectly with the newly added
> apparmor_restrict_unprivileged_unconfined feature when enabled by
> default with an opt-out. Make this feature opt-in, to unbreak existing
> stable production software, most notable LXD.
> 
> This security feature can be enabled with:
> 
>      sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>

The subject of this ack is a bit confusing, but the commit message seems
more clear in this version, therefore with this commit message:

Acked-by: Andrea Righi <andrea.righi at canonical.com>

> ---
> 
>  Apply on top of Ubuntu-6.5.0-7.7 release for Mantic GA
> 
>  security/apparmor/policy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
> index 9842561680..2e58bc5732 100644
> --- a/security/apparmor/policy.c
> +++ b/security/apparmor/policy.c
> @@ -91,7 +91,7 @@ int unprivileged_userns_apparmor_policy = 1;
>  int unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
>  int unprivileged_userns_restricted_force;
>  int unprivileged_userns_restricted_complain;
> -int aa_unprivileged_unconfined_restricted = 1;
> +int aa_unprivileged_unconfined_restricted = 0;
>  int aa_unprivileged_uring_restricted;
>  
>  const char *const aa_profile_mode_names[] = {
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team