mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
789cda2f08
Unprivileged user namespace creation is allowed an will result in a transition into the unprivileged_userns profile. The unprivileged_userns profile with then deny all capabilities within the profile. Execution of applications is allowed within the unprivileged_userns profile but, they will result in a stack with the unprivileged_userns profile, that is to say the unprivileged_userns profile can not be dropped (capabilities can not be gained). If the unprivileged_userns profile does not exist, unprivileged user namespace creation is denied as before. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
27 lines
699 B
Text
27 lines
699 B
Text
# Special profile transitioned to by unconfined when creating an unprivileged
|
|
# user namespace.
|
|
#
|
|
abi <abi/4.0>,
|
|
include <tunables/global>
|
|
|
|
profile unprivileged_userns {
|
|
audit deny capability,
|
|
audit deny change_profile,
|
|
|
|
# allow block to be replaced by allow when x dominance test is fixed
|
|
#allow all,
|
|
allow network,
|
|
allow signal,
|
|
allow dbus,
|
|
allow file rwlkm /**,
|
|
allow unix,
|
|
allow mqueue,
|
|
allow ptrace,
|
|
allow userns,
|
|
|
|
# stack children to strip capabilities
|
|
allow pix /** -> &unprivileged_userns ,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/unprivileged_userns>
|
|
}
|