diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index f48702185ded..0461dadb7302 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -35,6 +35,8 @@ struct aa_ns;
 
 extern int unprivileged_userns_apparmor_policy;
 extern int aa_unprivileged_userns_restricted;
+extern int aa_unprivileged_userns_restricted_force;
+extern int aa_unprivileged_userns_restricted_complain;
 extern int aa_unprivileged_unconfined_restricted;
 
 extern const char *const aa_profile_mode_names[];
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e8a695146444..2c3312fbb2d9 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2042,6 +2042,20 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.mode           = 0644,
 		.proc_handler   = apparmor_dointvec,
 	},
+	{
+		.procname       = "apparmor_restrict_unprivileged_userns_force",
+		.data           = &aa_unprivileged_userns_restricted_force,
+		.maxlen         = sizeof(int),
+		.mode           = 0600,
+		.proc_handler   = apparmor_dointvec,
+	},
+	{
+		.procname       = "apparmor_restrict_unprivileged_userns_complain",
+		.data           = &aa_unprivileged_userns_restricted_complain,
+		.maxlen         = sizeof(int),
+		.mode           = 0600,
+		.proc_handler   = apparmor_dointvec,
+	},
 #endif /* CONFIG_USER_NS */
 	{
 		.procname       = "apparmor_restrict_unprivileged_unconfined",
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index aa775746af71..76395011f718 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -89,6 +89,8 @@
 
 int unprivileged_userns_apparmor_policy = 1;
 int aa_unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
+int aa_unprivileged_userns_restricted_force;
+int aa_unprivileged_userns_restricted_complain;
 int aa_unprivileged_unconfined_restricted;
 
 const char *const aa_profile_mode_names[] = {
diff --git a/security/apparmor/task.c b/security/apparmor/task.c
index fa10da236e8d..2a667ce9aba7 100644
--- a/security/apparmor/task.c
+++ b/security/apparmor/task.c
@@ -336,10 +336,12 @@ int aa_profile_ns_perm(struct aa_profile *profile,
 		aa_state_t state;
 
 		state = RULE_MEDIATES(rules, ad->class);
-		if (!state)
+		if (!state && !aa_unprivileged_userns_restricted_force)
 			/* TODO: add flag to complain about unmediated */
 			return 0;
 		perms = *aa_lookup_perms(rules->policy, state);
+		if (aa_unprivileged_userns_restricted_complain)
+			perms.complain = ALL_PERMS_MASK;
 	}
 
 	aa_apply_modes_to_perms(profile, &perms);