diff options
author | John Johansen <john.johansen@canonical.com> | 2022-09-09 16:00:09 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2023-10-18 15:49:02 -0700 |
commit | fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5 (patch) | |
tree | dc093ea12c7ae548e981bc1f675d7f974a6366f0 /security/apparmor/task.c | |
parent | 2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc (diff) |
apparmor: add user namespace creation mediation
Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.
This allows an admin to quickly lock down a system while also still
allowing legitimate use.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/task.c')
-rw-r--r-- | security/apparmor/task.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/security/apparmor/task.c b/security/apparmor/task.c index 1a7c9d02e31d..f29a2e80e6bf 100644 --- a/security/apparmor/task.c +++ b/security/apparmor/task.c @@ -298,3 +298,44 @@ int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer, profile_tracee_perm(tracee_cred, profile, tracer, xrequest, &sa)); } + +/* call back to audit ptrace fields */ +static void audit_ns_cb(struct audit_buffer *ab, void *va) +{ + struct apparmor_audit_data *ad = aad_of_va(va); + + if (ad->request & AA_USERNS_CREATE) + audit_log_format(ab, " requested=\"userns_create\""); + + if (ad->denied & AA_USERNS_CREATE) + audit_log_format(ab, " denied=\"userns_create\""); +} + +int aa_profile_ns_perm(struct aa_profile *profile, + struct apparmor_audit_data *ad, + u32 request) +{ + struct aa_perms perms = { }; + int error = 0; + + ad->subj_label = &profile->label; + ad->request = request; + + if (!profile_unconfined(profile)) { + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), + list); + aa_state_t state; + + state = RULE_MEDIATES(rules, ad->class); + if (!state) + /* TODO: add flag to complain about unmediated */ + return 0; + perms = *aa_lookup_perms(rules->policy, state); + aa_apply_modes_to_perms(profile, &perms); + error = aa_check_perms(profile, &perms, request, ad, + audit_ns_cb); + } + + return error; +} |