From 1467c91ebd05f1643c6c083e0da1461b28cb58f9 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Sun, 23 Oct 2022 04:03:50 -0700
Subject: [PATCH] UBUNTU: SAUCE: apparmor4.0.0 [46/90]: Add sysctls for
 additional controls of unpriv userns restrictions

BugLink: http://bugs.launchpad.net/bugs/2028253

Add apparmor_restrict_unprivileged_userns_force
  To force old policies that don't support user namespace restrictions
  to apply them anyways.

Add apparmor_restrict_unprivileged_userns_complain
  To cause user namespace restrictions to complain instead of fail.
  This will work on both profiles and unconfined.

Signed-off-by: John Johansen <john.johansen@canonical.com>

fixup userns

(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 13890cd37e28953bcf321d7ccad7ae50377e672f
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
---
 security/apparmor/include/policy.h |  2 ++
 security/apparmor/lsm.c            | 14 ++++++++++++++
 security/apparmor/policy.c         |  2 ++
 security/apparmor/task.c           |  4 +++-
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index f48702185ded..0461dadb7302 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -35,6 +35,8 @@ struct aa_ns;
 
 extern int unprivileged_userns_apparmor_policy;
 extern int aa_unprivileged_userns_restricted;
+extern int aa_unprivileged_userns_restricted_force;
+extern int aa_unprivileged_userns_restricted_complain;
 extern int aa_unprivileged_unconfined_restricted;
 
 extern const char *const aa_profile_mode_names[];
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e8a695146444..2c3312fbb2d9 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2042,6 +2042,20 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.mode           = 0644,
 		.proc_handler   = apparmor_dointvec,
 	},
+	{
+		.procname       = "apparmor_restrict_unprivileged_userns_force",
+		.data           = &aa_unprivileged_userns_restricted_force,
+		.maxlen         = sizeof(int),
+		.mode           = 0600,
+		.proc_handler   = apparmor_dointvec,
+	},
+	{
+		.procname       = "apparmor_restrict_unprivileged_userns_complain",
+		.data           = &aa_unprivileged_userns_restricted_complain,
+		.maxlen         = sizeof(int),
+		.mode           = 0600,
+		.proc_handler   = apparmor_dointvec,
+	},
 #endif /* CONFIG_USER_NS */
 	{
 		.procname       = "apparmor_restrict_unprivileged_unconfined",
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index aa775746af71..76395011f718 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -89,6 +89,8 @@
 
 int unprivileged_userns_apparmor_policy = 1;
 int aa_unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
+int aa_unprivileged_userns_restricted_force;
+int aa_unprivileged_userns_restricted_complain;
 int aa_unprivileged_unconfined_restricted;
 
 const char *const aa_profile_mode_names[] = {
diff --git a/security/apparmor/task.c b/security/apparmor/task.c
index fa10da236e8d..2a667ce9aba7 100644
--- a/security/apparmor/task.c
+++ b/security/apparmor/task.c
@@ -336,10 +336,12 @@ int aa_profile_ns_perm(struct aa_profile *profile,
 		aa_state_t state;
 
 		state = RULE_MEDIATES(rules, ad->class);
-		if (!state)
+		if (!state && !aa_unprivileged_userns_restricted_force)
 			/* TODO: add flag to complain about unmediated */
 			return 0;
 		perms = *aa_lookup_perms(rules->policy, state);
+		if (aa_unprivileged_userns_restricted_complain)
+			perms.complain = ALL_PERMS_MASK;
 	}
 
 	aa_apply_modes_to_perms(profile, &perms);