UBUNTU: SAUCE: apparmor4.0.0 [46/90]: Add sysctls for additional controls of unpriv userns restrictions

BugLink: http://bugs.launchpad.net/bugs/2028253

Add apparmor_restrict_unprivileged_userns_force
  To force old policies that don't support user namespace restrictions
  to apply them anyways.

Add apparmor_restrict_unprivileged_userns_complain
  To cause user namespace restrictions to complain instead of fail.
  This will work on both profiles and unconfined.

Signed-off-by: John Johansen <john.johansen@canonical.com>

fixup userns

(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 13890cd37e28953bcf321d7ccad7ae50377e672f
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

security/apparmor/include/policy.h

@@ -35,6 +35,8 @@ struct aa_ns;
 
 extern int unprivileged_userns_apparmor_policy;
 extern int aa_unprivileged_userns_restricted;
+extern int aa_unprivileged_userns_restricted_force;
+extern int aa_unprivileged_userns_restricted_complain;
 extern int aa_unprivileged_unconfined_restricted;
 
 extern const char *const aa_profile_mode_names[];

security/apparmor/lsm.c

@@ -2042,6 +2042,20 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.mode           = 0644,
 		.proc_handler   = apparmor_dointvec,
 	},
+	{
+		.procname       = "apparmor_restrict_unprivileged_userns_force",
+		.data           = &aa_unprivileged_userns_restricted_force,
+		.maxlen         = sizeof(int),
+		.mode           = 0600,
+		.proc_handler   = apparmor_dointvec,
+	},
+	{
+		.procname       = "apparmor_restrict_unprivileged_userns_complain",
+		.data           = &aa_unprivileged_userns_restricted_complain,
+		.maxlen         = sizeof(int),
+		.mode           = 0600,
+		.proc_handler   = apparmor_dointvec,
+	},
 #endif /* CONFIG_USER_NS */
 	{
 		.procname       = "apparmor_restrict_unprivileged_unconfined",

security/apparmor/policy.c

@@ -89,6 +89,8 @@
 
 int unprivileged_userns_apparmor_policy = 1;
 int aa_unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
+int aa_unprivileged_userns_restricted_force;
+int aa_unprivileged_userns_restricted_complain;
 int aa_unprivileged_unconfined_restricted;
 
 const char *const aa_profile_mode_names[] = {

security/apparmor/task.c

@@ -336,10 +336,12 @@ int aa_profile_ns_perm(struct aa_profile *profile,
 		aa_state_t state;
 
 		state = RULE_MEDIATES(rules, ad->class);
-		if (!state)
+		if (!state && !aa_unprivileged_userns_restricted_force)
 			/* TODO: add flag to complain about unmediated */
 			return 0;
 		perms = *aa_lookup_perms(rules->policy, state);
+		if (aa_unprivileged_userns_restricted_complain)
+			perms.complain = ALL_PERMS_MASK;
 	}
 
 	aa_apply_modes_to_perms(profile, &perms);