Hello John, can you give us a quick update on the status of this restricted userns feature? Did it make it into kernel 6.14 and if not when would it currently be expected.
Thank you On Thu, Oct 31, 2024 at 07:54:04AM -0700, John Johansen wrote: > On 10/31/24 06:59, valoq wrote: > > Ubuntu added a patch last year to allow user namespaces only for processes > > confined by apparmor and allegedly the kernel patch for this feature made > > it into the upstream kernel as well, but there seems to be no documentation > > available about it. Additionaly, apparmor now includes default profiles > > with the userns permission making use of this feature, but there is no > > documentation about the requirements of this feature. > > > As implemented in Ubuntu, there are three parts. > 1. for an application to use user namespaces the application must be confined > by a profile, that explicitly allows the use of user namespaces. > 2. when enabled, unconfined is not allowed to use unprivileged user > namespaces. > 3. apparmor enables a policy var via sysctl on boot. It was done this way for > two reasons. > a. So that new kernels could be taken back to old releases and not break > them with the feature being turned on by default in the kernel. > b. So that the feature could be turned on, on older releases without > having to have an updated apparmor userspace to enable the feature > in policy. > > > How can this feature actually be used on other linux distributions and > > vanilla linux kernels? It seems like > > kernel.apparmor_restrict_unprivileged_userns is not available outside of > > ubuntu and most similar flags appear undocumented as well. > > Is support for restricted userns actually available outside of ubuntu? > > > > Currently it is not. > > The ability to mediate userns creation in profiles landed in 6.7. > > The 2 and 3rd parts have not landed upstream yet. This is largely because > the Ubuntu patches hard code the behavior where for upstream we want the > behavior to be properly part of policy. > > There is a patch to extend the current mediation that is a requirement > for parts 2/3 that I will try to post out this week. The other parts > I still need to evaluate. But I don't think landing full support for > is possible for 6.13. So I am currently planning to try and land full > support in 6.14. > >
