apparmor: add user namespace creation mediation

Unprivileged user namespace creation is often used as a first step in privilege escalation attacks. Instead of disabling it at the sysrq level, which blocks its legitimate use as for setting up a sandbox, allow control on a per domain basis. This allows an admin to quickly lock down a system while also still allowing legitimate use. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2022-09-09 16:00:09 -0700
committer: John Johansen <john.johansen@canonical.com> 2023-10-18 15:49:02 -0700
commit: fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5 (patch)
tree: dc093ea12c7ae548e981bc1f675d7f974a6366f0 /security/apparmor/apparmorfs.c
parent: 2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 6d0848f10ff0..7170349c8af0 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -2375,6 +2375,7 @@ static struct aa_sfs_entry aa_sfs_entry_mount[] = {
 static struct aa_sfs_entry aa_sfs_entry_ns[] = {
 	AA_SFS_FILE_BOOLEAN("profile",		1),
 	AA_SFS_FILE_BOOLEAN("pivot_root",	0),
+	AA_SFS_FILE_STRING("mask", "userns_create"),
 	{ }
 };
author	John Johansen <john.johansen@canonical.com>	2022-09-09 16:00:09 -0700
committer	John Johansen <john.johansen@canonical.com>	2023-10-18 15:49:02 -0700
commit	fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5 (patch)
tree	dc093ea12c7ae548e981bc1f675d7f974a6366f0 /security/apparmor/apparmorfs.c
parent	2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc (diff)