[Kernel-packages] [Bug 2040194] [NEW] apparmor restricts read access of user namespace mediation sysctls to root

Mon, 23 Oct 2023 17:02:03 -0700 

Public bug reported:

lxc and lxd currently need to determine if the apparmor restriction             
on unprivileged user namespaces are being enforced, so that apparmor            
restrictions won't break lxc/d, and they won't clutter the logs                 
by doing something like                                                         
                                                                                
  unshare true                                                                  
                                                                                
to test if the restrictions are being enforced.                                 
                                                                                
Ideally access to this information would be restricted so that any              
unknown access would be logged, but lxc/d currently aren't ready for            
this so in order to _not_ force lxc/d to probe whether enforcement is           
enabled, open up read access to the sysctls for unprivileged user               
namespace mediation.                                                            
 
https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: linux (Ubuntu Mantic)
     Importance: Undecided
         Status: New

** Also affects: linux (Ubuntu Mantic)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040194

Title:
  apparmor restricts read access of user namespace mediation sysctls to
  root

Status in linux package in Ubuntu:
  New
Status in linux source package in Mantic:
  New

Bug description:
  lxc and lxd currently need to determine if the apparmor restriction           
  
  on unprivileged user namespaces are being enforced, so that apparmor          
  
  restrictions won't break lxc/d, and they won't clutter the logs               
  
  by doing something like                                                       
  
                                                                                
  
    unshare true                                                                
  
                                                                                
  
  to test if the restrictions are being enforced.                               
  
                                                                                
  
  Ideally access to this information would be restricted so that any            
  
  unknown access would be logged, but lxc/d currently aren't ready for          
  
  this so in order to _not_ force lxc/d to probe whether enforcement is         
  
  enabled, open up read access to the sysctls for unprivileged user             
  
  namespace mediation.                                                          
  
   
  https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to