mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

tests: handle unprivileged_userns transition in userns tests

Browse source 
There is a kernel feature, available under
namespaces/userns_create/pciu&, that enables the transition of
unconfined tasks to a special profile called unprivileged_userns when
they try to create an unprivileged user namespace with
clone/unshare. This transition allows the creation of the unprivileged
user namespace but hinders its privileges by not allowing
capabilities. Refer to the unprivileged_userns profile to check what
rules are allowed.

If either the feature is not present in the kernel, or the
unprivileged_userns profile is not loaded, then the defined behavior
is to deny the creation of the unprivileged user namespace

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2024-02-05 14:28:14 -03:00
parent 668f5af436
commit 4621af8ead
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
tests/regression/apparmor/userns.sh
View file

@ -79,7 +79,7 @@ do_test()
runchecktest "$desc setns - user" $expect_setns_user -s $userns_setns_bin -p $pipe # setns
}
if [ $unprivileged_userns_clone -eq 0 ]; then
if [ -e $unprivileged_userns_clone_path ] && [ $unprivileged_userns_clone -eq 0 ]; then
echo "WARN: unprivileged_userns_clone is enabled. Both confined and unconfined unprivileged user namespaces are not allowed"
detail="unprivileged_userns_clone disabled"
@ -132,9 +132,19 @@ run_confined_tests "$detail"
# enable restrictions on unprivileged user namespaces
echo 1 > $apparmor_restrict_unprivileged_userns_path
user_testresult=fail
# check if kernel supports the transition of unconfined to
# unprivileged_userns on unprivileged unshare/clone.
# the unprivileged_userns profile also needs to be loaded
if [ "$(kernel_features namespaces/userns_create/pciu&)" == "true" ] && \
grep -q unprivileged_userns /sys/kernel/security/apparmor/profiles; then
user_testresult=pass
fi
detail="apparmor_restrict_unprivileged_userns enabled"
# user cannot create user namespace unless cap_sys_admin
do_test "unconfined $detail" pass fail pass pass
# exceptions described above
do_test "unconfined $detail" pass $user_testresult pass pass
# it should work when running as user with cap_sys_admin
setcap cap_sys_admin+pie $bin/userns