mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update unprivileged_userns_restriction 

Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen 2023-12-14 10:49:23 -08:00
parent f9f5206410
commit 5437e1a22e
1 changed files with 11 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
unprivileged_userns_restriction.md

@ -239,12 +239,9 @@ Upstream Userspace
Policy ABI
userns mediation
unprivileged unconfined
special unconfined
unconfined flag
default_allow flag
Kconfig
sysctl
@ -253,14 +250,22 @@ sysctl
| Feature | Upstream AppArmor | Upstream Kernel | Ubuntu 22.04 | Ubuntu 22.10 | Ubuntu 23.04 | Ubuntu 23.10 | Ubuntu 24.04 |
|:---: |:---: |:---: |:---: |:---: |:---: |:---: |:---: |
| unconfined flag | 3.0 | 3.12 | Jammy<br>3.0.4| | Kinetic<br>3.0.?? | Lunar<br>3.0.8 | Mantic<br>4.0.0-alpha2 | Noble<br>4.0.0 |
| default_allow flag 4.0 | ?? support delegation ??? | no | no | no | | no | no | ??? |
| change_profile restriction | | | | | | | mantic<br>6.5 | noble<br>?6.7? |
| unconfined flag | 3.0 | 3.12 | Jammy<br>3.0.4| - | Kinetic<br>3.0.?? | Lunar<br>3.0.8 | Mantic<br>4.0.0-alpha2 | Noble<br>4.0.0 |
| default_allow flag | 4.0 | - | - | - | - | - | - | - |
| default_allow fallback to unconfined | 4.0 | 3.12 | Jammy<br>3.0.4| - | Kinetic | Lunar | Mantic | Noble |
| default_allow delegation | ?? | no | no | no | | no | no | ??? |
| change_profile restriction | - | 6.7 | no | no | no | no | mantic 6.5 | noble ?6.7? |
| io_uring restriction | | | | | | | | |
| mount restriction | | | | | | | | |
| link restriction | | | | | | | | |
| userns mediation | 4.0 | 6.7 | no | kernel 5.19<br>userspace ?? | kernel 6.2<br>userspace ?? | kernel 6.5<br>userspace ?? | kernel ?6.7?<br>userspace 4.0|
| unprivileged unconfined restriction | - | no | no | no | kernel 6.2 | kernel 6.5 | kernel ?6.7? |
| specialize unconfined profile | - | no | no | no | no | kernel 6.5<br>userspace 4.0.0~alpha2 | kernel ?6.7?<br>userspace 4.0|
| sysctl<br> kernel.apparmor_restrict_unprivileged_userns | - | no | | yes - 5.19| yes - 6.2 | yes - 6.5 | yes - ?6.7? |
| sysctl<br>kernel.apparmor_restrict_unprivileged_userns_force | - | no | | no | yes - 6.2 | yes - 6.5 | yes - ?6.7? |
| sysctl<br>kernel.apparmor_restrict_unprivileged_userns_complain | - | no | | no | yes - 6.2 | yes - 6.5 | yes - ?6.7? |
| /usr/lib/sysctl.d/10-apparmor.conf | no | - | | no | no | 4.0.0~alpha2-0ubuntu5: disabled | 4.0.0~alpha2-0ubuntu7: enabled |
| replace unconfined | ?? | no | no | no | no | no | kernel ?6.7? |