mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update unprivileged_userns_restriction

John Johansen 2022-10-19 23:30:26 +00:00
parent b5e176e4ce
commit 566dbd4861
1 changed files with 18 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
unprivileged_userns_restriction.md

@ -1,15 +1,31 @@
# Introduction # Introduction
unconfined processes with capability MAC_OVERRIDE will
# Introspection of kernel # Introspection of kernel
## proc
## apparmor
userns_create
# Audit message # Audit message
# sysctl # controlling unprivileged user namespace restrivtions via sysctl
apparmor_restrict_unprivileged_userns
## Setting at runtime ## Setting at runtime
## Kernel Build kconfig option
## ##
# policy # policy
# Kernel Build kconfig option
The Kconfig option```SECURITY_APPARMOR_RESTRICT_USERNS``` allows setting the default value sysctl. If ```N``` apparmor's unprivileged user namespace restrictions will be disabled by default. If ```Y``` apparmor's unprivileged user namespace restrictions will be enabled by default. Setting the sysctl at runtime will override the default Kconfig value.