mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
8e586e5492
The unshare-userns-restrict profile contained a cx transition to transition to a profile that allows most things while denying capabilities: audit allow cx /** -> unpriv, However, this transition does not stack the unshare//unpriv profile against any other profile the target binary might have had. As a result, the lack of stacking resulted in a non-namespace-related sandboxing bypass in which attachments of other profiles that should have confined the target binary do not get applied. Instead, we adopt a stack similar to the one in bwrap-userns-restrict, with the exception that unshare does not use no-new-privs and therefore only needs a two-layer stack instead of a three-layer stack. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1533 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net> |
||
|---|---|---|
| .. | ||
| apparmor/profiles/extras | ||
| apparmor.d | ||
| Makefile | ||