mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/apparmor.d/unprivileged_userns

28 lines
699 B
Text
Raw Normal View History

add special unprivileged_userns profile Unprivileged user namespace creation is allowed an will result in a transition into the unprivileged_userns profile. The unprivileged_userns profile with then deny all capabilities within the profile. Execution of applications is allowed within the unprivileged_userns profile but, they will result in a stack with the unprivileged_userns profile, that is to say the unprivileged_userns profile can not be dropped (capabilities can not be gained). If the unprivileged_userns profile does not exist, unprivileged user namespace creation is denied as before. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-02-02 10:52:26 -03:00
# Special profile transitioned to by unconfined when creating an unprivileged
# user namespace.
#
abi <abi/4.0>,
include <tunables/global>
profile unprivileged_userns {
audit deny capability,
audit deny change_profile,
# allow block to be replaced by allow when x dominance test is fixed
#allow all,
allow network,
allow signal,
allow dbus,
allow file rwlkm /**,
allow unix,
allow mqueue,
allow ptrace,
allow userns,
# stack children to strip capabilities
allow pix /** -> &unprivileged_userns ,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/unprivileged_userns>
}
Reference in a new issue Copy permalink