diff mbox series

[4/4] UBUNTU: SAUCE: apparmor: open userns related sysctl so lxc can check if restriction are in place

Message ID 20231025123130.2751944-5-john.johansen@canonical.com
State New
Headers show
Series [1/4] UBUNTU: SAUCE: apparmor: fix oops when racing to retrieve notification | expand

Commit Message

John Johansen Oct. 25, 2023, 12:31 p.m. UTC 
BugLink: http://bugs.launchpad.net/bugs/2040194
https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like

  unshare true

to test if the restrictions are being enforced.

Ideally access to this information would be restricted so that any
unknown access would be logged, but lxc/d currently aren't ready for
this so in order to _not_ force lxc/d to probe whether enforcement is
enabled, open up read access to the sysctls for unprivileged user
namespace mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/lsm.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 205cd79fb625..a1ea0321ec38 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2397,6 +2397,17 @@  static int apparmor_dointvec(struct ctl_table *table, int write,
 	return proc_dointvec(table, write, buffer, lenp, ppos);
 }
 
+static int userns_restrict_dointvec(struct ctl_table *table, int write,
+				    void *buffer, size_t *lenp, loff_t *ppos)
+{
+	if (!apparmor_enabled)
+		return -EINVAL;
+	if (write && !aa_current_policy_admin_capable(NULL))
+		return -EPERM;
+
+	return proc_dointvec(table, write, buffer, lenp, ppos);
+}
+
 static struct ctl_table apparmor_sysctl_table[] = {
 #ifdef CONFIG_USER_NS
 	{
@@ -2419,8 +2430,8 @@  static struct ctl_table apparmor_sysctl_table[] = {
 		.procname       = "apparmor_restrict_unprivileged_userns",
 		.data           = &unprivileged_userns_restricted,
 		.maxlen         = sizeof(int),
-		.mode           = 0600,
-		.proc_handler   = apparmor_dointvec,
+		.mode           = 0644,
+		.proc_handler   = userns_restrict_dointvec,
 	},
 	{
 		.procname       = "apparmor_restrict_unprivileged_userns_force",
@@ -2441,8 +2452,8 @@  static struct ctl_table apparmor_sysctl_table[] = {
 		.procname       = "apparmor_restrict_unprivileged_unconfined",
 		.data           = &aa_unprivileged_unconfined_restricted,
 		.maxlen         = sizeof(int),
-		.mode           = 0600,
-		.proc_handler   = apparmor_dointvec,
+		.mode           = 0644,
+		.proc_handler   = userns_restrict_dointvec,
 	},
 	{
 		.procname       = "apparmor_restrict_unprivileged_io_uring",