UBUNTU: SAUCE: apparmor4.0.0 [45/90]: add unpriviled user ns mediation

BugLink: http://bugs.launchpad.net/bugs/2028253 Unprivileged user namespace creation is often used as a first step in privilege escalation attacks. Instead of disabling it at the sysrq level, which blocks its legitimate use as for setting up a sandbox, allow control on a per domain basis. This allows an admin to quickly lock down a system while also still allowing legitimate use. Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from https://gitlab.com/jjohansen/apparmor-kernel) Signed-off-by: Andrea Righi <andrea.righi@canonical.com> (cherry picked from commit 98624b0de733fca44a790db0e78090dc77919fbd https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2022-09-09 16:00:09 -07:00
parent f1e158f349
commit cf24569d20
5 changed files with 34 additions and 7 deletions
@@ -105,6 +105,18 @@ config SECURITY_APPARMOR_PARANOID_LOAD
 	  includes policy, and has some form of integrity check.
 	  Disabling the check will speed up policy loads.

+config SECURITY_APPARMOR_RESTRICT_USERNS
+	bool "Restrict user namespace creation to confined domains"
+	depends on SECURITY_APPARMOR && USER_NS
+	default y
+	help
+	  This options allows controlling whether apparmor restricts
+	  the creation of new user namespaces to confined tasks by
+	  default. If set unconfined tasks without CAP_SYS_ADMIN
+	  will not be allowed to create new user namespaces. Confined
+	  tasks ability to create new user namespaces will be controlled
+	  by their profile.
+
 config SECURITY_APPARMOR_KUNIT_TEST
 	tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
 	depends on KUNIT && SECURITY_APPARMOR
@@ -34,6 +34,7 @@
 struct aa_ns;

 extern int unprivileged_userns_apparmor_policy;
+extern int aa_unprivileged_userns_restricted;
 extern int aa_unprivileged_unconfined_restricted;

 extern const char *const aa_profile_mode_names[];
@@ -1050,7 +1050,7 @@ static int apparmor_userns_create(const struct cred *cred)
 	ad.subj_cred = current_cred();

 	label = begin_current_label_crit_section();
-	if (!unconfined(label)) {
+	if (aa_unprivileged_userns_restricted || !unconfined(label)) {
 		error = fn_for_each(label, profile,
 				    aa_profile_ns_perm(profile, &ad,
 						       AA_USERNS_CREATE));
@@ -2034,6 +2034,15 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.mode           = 0600,
 		.proc_handler   = apparmor_dointvec,
 	},
+#ifdef CONFIG_USER_NS
+	{
+		.procname       = "apparmor_restrict_unprivileged_userns",
+		.data           = &aa_unprivileged_userns_restricted,
+		.maxlen         = sizeof(int),
+		.mode           = 0644,
+		.proc_handler   = apparmor_dointvec,
+	},
+#endif /* CONFIG_USER_NS */
 	{
 		.procname       = "apparmor_restrict_unprivileged_unconfined",
 		.data           = &aa_unprivileged_unconfined_restricted,
@@ -88,6 +88,7 @@
 #include "include/resource.h"

 int unprivileged_userns_apparmor_policy = 1;
+int aa_unprivileged_userns_restricted = IS_ENABLED(CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS);
 int aa_unprivileged_unconfined_restricted;

 const char *const aa_profile_mode_names[] = {
@@ -318,12 +318,18 @@ int aa_profile_ns_perm(struct aa_profile *profile,
 		       u32 request)
 {
 	struct aa_perms perms = { };
-	int error = 0;

 	ad->subj_label = &profile->label;
 	ad->request = request;

-	if (!profile_unconfined(profile)) {
+	if (profile_unconfined(profile)) {
+		if (!aa_unprivileged_userns_restricted ||
+		    ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))
+			return 0;
+
+		ad->info = "User namespace creation restricted";
+		/* don't just return: allow complain mode to override */
+	} else {
 		struct aa_ruleset *rules = list_first_entry(&profile->rules,
 							    typeof(*rules),
 							    list);
@@ -334,10 +340,8 @@ int aa_profile_ns_perm(struct aa_profile *profile,
 			/* TODO: add flag to complain about unmediated */
 			return 0;
 		perms = *aa_lookup_perms(rules->policy, state);
-		aa_apply_modes_to_perms(profile, &perms);
-		error = aa_check_perms(profile, &perms, request, ad,
-				       audit_ns_cb);
 	}

-	return error;
+	aa_apply_modes_to_perms(profile, &perms);
+	return aa_check_perms(profile, &perms, request, ad, audit_ns_cb);
 }