projects / linux-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2d9da9b) | patch
apparmor: add user namespace creation mediation
authorJohn Johansen <john.johansen@canonical.com>
Fri, 9 Sep 2022 23:00:09 +0000 (16:00 -0700)
committerJohn Johansen <john.johansen@canonical.com>
Wed, 18 Oct 2023 22:49:02 +0000 (15:49 -0700)
commitfa9b63adabcfa9b724120ef3352cf6fb82b4b9a5
treedc093ea12c7ae548e981bc1f675d7f974a6366f0tree
parent2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fccommit | diff
apparmor: add user namespace creation mediation

Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.

This allows an admin to quickly lock down a system while also still
allowing legitimate use.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/apparmorfs.c diff | blob | blame | history
security/apparmor/audit.c diff | blob | blame | history
security/apparmor/include/apparmor.h diff | blob | blame | history
security/apparmor/include/audit.h diff | blob | blame | history
security/apparmor/include/task.h diff | blob | blame | history
security/apparmor/lsm.c diff | blob | blame | history
security/apparmor/task.c diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)