Similar to the unprivileged unconfined user namespace restrictions, unprivileged unconfined has had been restricted in other ways. These restrictions help protect the system and ensure policy is being enforced as designed.
The set of restrictions applied to unprivileged unconfined will evolve over time. In fact the intent is to eventually make the set of restrictions customizable by making it possible to replace the unconfined profile. With that said the default unconfined profile will provide a base set of restrictions that can be disabled by either using a kernel boot parameter and/or a sysctl.
Checking the current state of restricted unprivileged unconfined restrictions
The /proc file that can be introspected to determine if AppArmor restrictions on unprivileged user unconfined application are available also provides the current status of the restriction.
$ sudo cat /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined
0
If the returned value is 0 then restrictions on unprivileged unconfined applications are disabled, if a value of 1 is reported the restriction is enabled.
Controlling unprivileged unconfined restrictions via sysctl
Restrictions on unprivileged unconfined applications can be controlled using the sysctl command. The changes made by the sysctl command do not persist between reboots. For the change to persist, the sysctl must be added to /etc/sysctl.conf or to a .conf file in /etc/sysctl.d/.
AppArmor offers one sysctls for controlling unprivileged unconfined restrictions behavior.
- kernel.apparmor_restrict_unprivileged_unconfined
This sysctl allows enabling or disabling all apparmor mediation/restrictions around unprivileged unconfined restricted operation. If set to off the other sysctls are ignored, rules in policy are ignored etc.
To disable
sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
To enable
sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1
Retricted operations
change_profile
An unprivileged unconfined user could use change_profile to enter any profile and avoid being placed in tighter restrictions as intended by system policy. To avoid this unprivileged unconfined's behavior when using change_profile has changed.
The unprivileged unconfined user is still allowed use of change_profile but instead of transitioning to the specified profile it will stack the specified profile with unconfined. This has the effect that the transition to a new profile is allowed and before but the system restrictions are retained by the stacked unconfined profile.
Any subeequent profile transitions will be applied to both the target profile and unconfined resulting in proper system confinement.
Before the restriction
unconfined -> target_profile
With the restriction in place
unconfined -> target_profile//&unconfined
Privileged unconfined
Tasks that are unconfined and have the CAP_MAC_OVERRIDE capability will continue to work the way they did previously. That is
unconfined -> target_profile
io_uring
io_uring is a new kernel subsystem designed for high performance. Being new it has unfortunately by-passed several traditional permission checks and is also a prime candidate to find bugs in when trying to compromise the kernel.
To help mitigate these issue, io_uring at least for the time being is being restricted for unprivileged unconfined applications.