contrib: AppArmor profile (and docs) for kernel.apparmor_restrict_unprivileged_userns

opencontainers / runc

CLI tool for spawning and running containers according to the OCI specification

https://www.opencontainers.org/

Apache License 2.0

11.78k stars 2.1k forks source link

contrib: AppArmor profile (and docs) for kernel.apparmor_restrict_unprivileged_userns #4069

Open AkihiroSuda opened 11 months ago

AkihiroSuda commented 11 months ago

https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

As such, unprivileged processes will only be able to create user namespaces if they are confined and have the “userns,” rule in their AppArmor profile (or if they have CAP_SYS_ADMIN). … This feature will be first available as an opt-in in Ubuntu 23.1.

Probably we should provide an apparmor profile in contrib/

AkihiroSuda commented 11 months ago

/etc/apparmor.d/usr.sbin.runc from apparmor_4.0.0~alpha2-0ubuntu5_amd64.deb:

abi <abi/4.0>,
include <tunables/global>

/usr/sbin/runc flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.sbin.runc>
}