diff mbox series

ACK: [PATCH] UBUNTU: SAUCE: apparmor: Make apparmor_restrict_unprivileged_unconfined opt-in

Message ID 20231006184953.3820464-1-dimitri.ledkov@canonical.com
State New
Headers show
Series ACK: [PATCH] UBUNTU: SAUCE: apparmor: Make apparmor_restrict_unprivileged_unconfined opt-in | expand

Commit Message

Dimitri John Ledkov Oct. 6, 2023, 6:49 p.m. UTC 
From: John Johansen <john.johansen@canonical.com>

BugLink: http://bugs.launchpad.net/bugs/2038567

Existing applications with apparmor confinment have been discovered to
behave incorrectly with the newly added
apparmor_restrict_unprivileged_unconfined feature when enabled by
default with an opt-out. Make this feature opt-in, to unbreak existing
stable production software, most notable LXD.

This security feature can be enabled with:

     sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---

 Apply on top of Ubuntu-6.5.0-7.7 release for Mantic GA

 security/apparmor/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Andrea Righi Oct. 6, 2023, 6:53 p.m. UTC | #1 
On Fri, Oct 06, 2023 at 07:49:53PM +0100, Dimitri John Ledkov wrote:
> From: John Johansen <john.johansen@canonical.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/2038567
> 
> Existing applications with apparmor confinment have been discovered to
> behave incorrectly with the newly added
> apparmor_restrict_unprivileged_unconfined feature when enabled by
> default with an opt-out. Make this feature opt-in, to unbreak existing
> stable production software, most notable LXD.
> 
> This security feature can be enabled with:
> 
>      sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1
> 
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>

The subject of this ack is a bit confusing, but the commit message seems
more clear in this version, therefore with this commit message:

Acked-by: Andrea Righi <andrea.righi@canonical.com>

> ---
> 
>  Apply on top of Ubuntu-6.5.0-7.7 release for Mantic GA
> 
>  security/apparmor/policy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
> index 9842561680..2e58bc5732 100644
> --- a/security/apparmor/policy.c
> +++ b/security/apparmor/policy.c
> @@ -91,7 +91,7 @@ int unprivileged_userns_apparmor_policy = 1;
>  int unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
>  int unprivileged_userns_restricted_force;
>  int unprivileged_userns_restricted_complain;
> -int aa_unprivileged_unconfined_restricted = 1;
> +int aa_unprivileged_unconfined_restricted = 0;
>  int aa_unprivileged_uring_restricted;
>  
>  const char *const aa_profile_mode_names[] = {
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff mbox series

Patch

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 9842561680..2e58bc5732 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -91,7 +91,7 @@  int unprivileged_userns_apparmor_policy = 1;
 int unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
 int unprivileged_userns_restricted_force;
 int unprivileged_userns_restricted_complain;
-int aa_unprivileged_unconfined_restricted = 1;
+int aa_unprivileged_unconfined_restricted = 0;
 int aa_unprivileged_uring_restricted;
 
 const char *const aa_profile_mode_names[] = {