apparmor: add user namespace creation mediation

Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.

This allows an admin to quickly lock down a system while also still
allowing legitimate use.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

1 files changed, 41 insertions, 0 deletions

diff --git a/security/apparmor/task.c b/security/apparmor/task.c
index 1a7c9d02e31d..f29a2e80e6bf 100644
--- a/security/apparmor/task.c
+++ b/security/apparmor/task.c
@@ -298,3 +298,44 @@ int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer,
 			profile_tracee_perm(tracee_cred, profile, tracer,
 					    xrequest, &sa));
 }
+
+/* call back to audit ptrace fields */
+static void audit_ns_cb(struct audit_buffer *ab, void *va)
+{
+	struct apparmor_audit_data *ad = aad_of_va(va);
+
+	if (ad->request & AA_USERNS_CREATE)
+		audit_log_format(ab, " requested=\"userns_create\"");
+
+	if (ad->denied & AA_USERNS_CREATE)
+		audit_log_format(ab, " denied=\"userns_create\"");
+}
+
+int aa_profile_ns_perm(struct aa_profile *profile,
+		       struct apparmor_audit_data *ad,
+		       u32 request)
+{
+	struct aa_perms perms = { };
+	int error = 0;
+
+	ad->subj_label = &profile->label;
+	ad->request = request;
+
+	if (!profile_unconfined(profile)) {
+		struct aa_ruleset *rules = list_first_entry(&profile->rules,
+							    typeof(*rules),
+							    list);
+		aa_state_t state;
+
+		state = RULE_MEDIATES(rules, ad->class);
+		if (!state)
+			/* TODO: add flag to complain about unmediated */
+			return 0;
+		perms = *aa_lookup_perms(rules->policy, state);
+		aa_apply_modes_to_perms(profile, &perms);
+		error = aa_check_perms(profile, &perms, request, ad,
+				       audit_ns_cb);
+	}
+
+	return error;
+}