Update unprivileged_userns_restriction

unprivileged_userns_restriction.md

@@ -6,7 +6,7 @@ unprivileged_userns_clone
 
 cat /proc/sys/kernel/unprivileged_userns_clone
 
-sudo sysctl -w kernel.unprivileged_userns_clone=0
+
 
 
 # Discovering if your kernel supports restrictions on unprivileged user namespaces
@@ -40,6 +40,27 @@ apparmor_restrict_unprivileged_userns
 # policy
 
 
-# Kernel Build kconfig option
+# Disabling unprivileged user namespaces at run time
 
-The Kconfig option```SECURITY_APPARMOR_RESTRICT_USERNS``` allows setting the default value sysctl. If ```N``` apparmor's unprivileged user namespace restrictions will be disabled by default. If ```Y``` apparmor's unprivileged user namespace restrictions will be enabled by default. Setting the sysctl at runtime will override the default Kconfig value.
+Several distro kernels (but not all) have the ability to disable unprivileged user namespaces for the entire system via the ```unprivileged_userns_clone``` sysctl. If a kernel has this ability the file ```/proc/sys/kernel/unprivileged_userns_clone``` will be present. The current state of whether unprivileged user namespaces are allowed can be found by doing
+
+```
+   $ cat /proc/sys/kernel/unprivileged_userns_clone
+```
+
+Where a value of ```0``` means disabled and a value of ```1``` means enabled.
+
+
+Unprivileged user namespaces can be disabled by using the command
+
+```
+    sudo sysctl -w kernel.unprivileged_userns_clone=0
+```
+
+
+# Kernel Build kconfig options
+
+User namespaces can be configured via the ```CONFIG_USER_NS``` config symbol.
+
+
+If user namespaces are enabled then the config symbol ```SECURITY_APPARMOR_RESTRICT_USERNS``` allows controlling if AppArmor enforces restrictions on unprivileged user namespaces by default. If ```N``` apparmor's unprivileged user namespace restrictions will be disabled by default, where```Y```will enable restrictions by default. The default value can be overriden by setting sysctl at runtime.