Re: [apparmor] Restricted userns

2024-10-31 Thread valoq 
On Thu, Oct 31, 2024 at 07:54:04AM -0700, John Johansen wrote:
> On 10/31/24 06:59, valoq wrote:
> Currently it is not.
> 
> The ability to mediate userns creation in profiles landed in 6.7.
> 
> The 2 and 3rd parts have not landed upstream yet. This is largely because
> the Ubuntu patches hard code the behavior where for upstream we want the
> behavior to be properly part of policy.
> 
> There is a patch to extend the current mediation that is a requirement
> for parts 2/3 that I will try to post out this week. The other parts
> I still need to evaluate. But I don't think landing full support for
> is possible for 6.13. So I am currently planning to try and land full
> support in 6.14.

Thanks for the replay and the upcoming patch.

If there is anything I can help, please let me know. While I do not have
experience with kernel development, I would like to support this patch
however possible.



signature.asc
Description: PGP signature

[apparmor] Restricted userns

2024-10-31 Thread valoq 
Ubuntu added a patch last year to allow user namespaces only for processes
confined by apparmor and allegedly the kernel patch for this feature made
it into the upstream kernel as well, but there seems to be no documentation
available about it. Additionaly, apparmor now includes default profiles
with the userns permission making use of this feature, but there is no
documentation about the requirements of this feature.

How can this feature actually be used on other linux distributions and
vanilla linux kernels? It seems like
kernel.apparmor_restrict_unprivileged_userns is not available outside of
ubuntu and most similar flags appear undocumented as well.
Is support for restricted userns actually available outside of ubuntu?



signature.asc
Description: PGP signature

Re: [apparmor] Restricted userns

2025-03-01 Thread valoq 
Hello John,

can you give us a quick update on the status of this restricted userns feature? 
Did it
make it into kernel 6.14 and if not when would it currently be expected.

Thank you

On Thu, Oct 31, 2024 at 07:54:04AM -0700, John Johansen wrote:
> On 10/31/24 06:59, valoq wrote:
> > Ubuntu added a patch last year to allow user namespaces only for processes
> > confined by apparmor and allegedly the kernel patch for this feature made
> > it into the upstream kernel as well, but there seems to be no documentation
> > available about it. Additionaly, apparmor now includes default profiles
> > with the userns permission making use of this feature, but there is no
> > documentation about the requirements of this feature.
> > 
> As implemented in Ubuntu, there are three parts.
> 1. for an application to use user namespaces the application must be confined
>by a profile, that explicitly allows the use of user namespaces.
> 2. when enabled, unconfined is not allowed to use unprivileged user 
> namespaces.
> 3. apparmor enables a policy var via sysctl on boot. It was done this way for
>two reasons.
>a. So that new kernels could be taken back to old releases and not break
>   them with the feature being turned on by default in the kernel.
>b. So that the feature could be turned on, on older releases without
>   having to have an updated apparmor userspace to enable the feature
>   in policy.
> 
> > How can this feature actually be used on other linux distributions and
> > vanilla linux kernels? It seems like
> > kernel.apparmor_restrict_unprivileged_userns is not available outside of
> > ubuntu and most similar flags appear undocumented as well.
> > Is support for restricted userns actually available outside of ubuntu?
> > 
> 
> Currently it is not.
> 
> The ability to mediate userns creation in profiles landed in 6.7.
> 
> The 2 and 3rd parts have not landed upstream yet. This is largely because
> the Ubuntu patches hard code the behavior where for upstream we want the
> behavior to be properly part of policy.
> 
> There is a patch to extend the current mediation that is a requirement
> for parts 2/3 that I will try to post out this week. The other parts
> I still need to evaluate. But I don't think landing full support for
> is possible for 6.13. So I am currently planning to try and land full
> support in 6.14.
> 
>