mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update unprivileged_userns_restriction

John Johansen 2023-07-12 23:55:40 +00:00
parent 787b966c7c
commit b7fd5d6191
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
unprivileged_userns_restriction.md

@ -116,6 +116,15 @@ Confined processes whether privileged or unprivileged are by default also not al
allow userns create,
```
# unconfined and user namespace mediation
The default unconfined profile uses the rule
```
allow userns sys_admin=true sysctl_apparmor_restrict_unprivileged_userns=true create,
```
The behavior can change if unconfined is replaced.
## Special unconfined profiles and user namespace mediation
Profiles that are tagged as unconfined have their permissions determined entirely by the profile. That is they are not controlled by the ```sysctl apparmor_restrict_unprivileged_userns``` nor do they have the exception for privileged tasks.