Message ID | 20231006184953.3820464-1-dimitri.ledkov@canonical.com |
---|---|
State | New |
Headers | show |
Series | ACK: [PATCH] UBUNTU: SAUCE: apparmor: Make apparmor_restrict_unprivileged_unconfined opt-in | expand |
On Fri, Oct 06, 2023 at 07:49:53PM +0100, Dimitri John Ledkov wrote: > From: John Johansen <john.johansen@canonical.com> > > BugLink: http://bugs.launchpad.net/bugs/2038567 > > Existing applications with apparmor confinment have been discovered to > behave incorrectly with the newly added > apparmor_restrict_unprivileged_unconfined feature when enabled by > default with an opt-out. Make this feature opt-in, to unbreak existing > stable production software, most notable LXD. > > This security feature can be enabled with: > > sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1 > > Signed-off-by: John Johansen <john.johansen@canonical.com> > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> The subject of this ack is a bit confusing, but the commit message seems more clear in this version, therefore with this commit message: Acked-by: Andrea Righi <andrea.righi@canonical.com> > --- > > Apply on top of Ubuntu-6.5.0-7.7 release for Mantic GA > > security/apparmor/policy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c > index 9842561680..2e58bc5732 100644 > --- a/security/apparmor/policy.c > +++ b/security/apparmor/policy.c > @@ -91,7 +91,7 @@ int unprivileged_userns_apparmor_policy = 1; > int unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS); > int unprivileged_userns_restricted_force; > int unprivileged_userns_restricted_complain; > -int aa_unprivileged_unconfined_restricted = 1; > +int aa_unprivileged_unconfined_restricted = 0; > int aa_unprivileged_uring_restricted; > > const char *const aa_profile_mode_names[] = { > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 9842561680..2e58bc5732 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -91,7 +91,7 @@ int unprivileged_userns_apparmor_policy = 1; int unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS); int unprivileged_userns_restricted_force; int unprivileged_userns_restricted_complain; -int aa_unprivileged_unconfined_restricted = 1; +int aa_unprivileged_unconfined_restricted = 0; int aa_unprivileged_uring_restricted; const char *const aa_profile_mode_names[] = {