BugLink: https://launchpad.net/bugs/1560583
Check the value of the unprivileged_userns_apparmor_policy sysctl when a
namespace root process attempts to read the apparmorfs profiles file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
if (ns_capable(user_ns, CAP_MAC_ADMIN) &&
(user_ns == &init_user_ns ||
if (ns_capable(user_ns, CAP_MAC_ADMIN) &&
(user_ns == &init_user_ns ||
- (user_ns->level == 1 && ns != root_ns)))
+ (unprivileged_userns_apparmor_policy != 0 &&
+ user_ns->level == 1 && ns != root_ns)))
response = true;
aa_put_ns(ns);
response = true;
aa_put_ns(ns);