On 2/28/25 11:27, va...@mailbox.org wrote:
Hello John,
can you give us a quick update on the status of this restricted userns feature?
Did it
make it into kernel 6.14 and if not when would it currently be expected.
It did not. I may get some of it into 6.15 but it won't be everything that is,
needed. Nor will we have a userspace release that can support the necessary
policy. The 4.1 release won't support it, but the dev tree should soon. I
can update you on what will definitely be in 6.15 in a couple of weeks.
We have had a set back on the patches to bring policy to unconfined without
hard coding the restrictions. This bug
https://bugs.launchpad.net/apparmor/+bug/2067900
is one of many, that led to a revert in Ubuntu of of the patches, and it
needs more dev before we can try landing it again, and definitely before
it can make it upstream. Ubuntu has a hard coded patch, and this was/is
part of the effort to get to where the hard coded patch can be dropped for
policy.
Unfortunately the fix for the above patch is not trivial so its going to
take awhile, partly because there is some other higher priority work to
finish first. Atm my plan is to try and land to land it in 6.16. Which will
should be enough time to get not only the kernel patches fixed, but the
userspace, and testing in as well.
Thank you
On Thu, Oct 31, 2024 at 07:54:04AM -0700, John Johansen wrote:
On 10/31/24 06:59, valoq wrote:
Ubuntu added a patch last year to allow user namespaces only for processes
confined by apparmor and allegedly the kernel patch for this feature made
it into the upstream kernel as well, but there seems to be no documentation
available about it. Additionaly, apparmor now includes default profiles
with the userns permission making use of this feature, but there is no
documentation about the requirements of this feature.
As implemented in Ubuntu, there are three parts.
1. for an application to use user namespaces the application must be confined
by a profile, that explicitly allows the use of user namespaces.
2. when enabled, unconfined is not allowed to use unprivileged user namespaces.
3. apparmor enables a policy var via sysctl on boot. It was done this way for
two reasons.
a. So that new kernels could be taken back to old releases and not break
them with the feature being turned on by default in the kernel.
b. So that the feature could be turned on, on older releases without
having to have an updated apparmor userspace to enable the feature
in policy.
How can this feature actually be used on other linux distributions and
vanilla linux kernels? It seems like
kernel.apparmor_restrict_unprivileged_userns is not available outside of
ubuntu and most similar flags appear undocumented as well.
Is support for restricted userns actually available outside of ubuntu?
Currently it is not.
The ability to mediate userns creation in profiles landed in 6.7.
The 2 and 3rd parts have not landed upstream yet. This is largely because
the Ubuntu patches hard code the behavior where for upstream we want the
behavior to be properly part of policy.
There is a patch to extend the current mediation that is a requirement
for parts 2/3 that I will try to post out this week. The other parts
I still need to evaluate. But I don't think landing full support for
is possible for 6.13. So I am currently planning to try and land full
support in 6.14.
