docker-ce-packaging icon indicating copy to clipboard operation
docker-ce-packaging copied to clipboard
verified publisher icon docker

Support kernel.apparmor_restrict_unprivileged_userns

Open AkihiroSuda opened this issue 2 years ago • 1 comments

https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

As such, unprivileged processes will only be able to create user namespaces if they are confined and have the “userns,” rule in their AppArmor profile (or if they have CAP_SYS_ADMIN). … This feature will be first available as an opt-in in Ubuntu 23.1.

Probably we have to provide an apparmor profile for /usr/bin/rootlesskit before Ubuntu 24.04.

AkihiroSuda avatar Oct 11 '23 22:10 AkihiroSuda

/etc/apparmor.d/usr.bin.rootlesskit from apparmor_4.0.0~alpha2-0ubuntu5_amd64.deb:

abi <abi/4.0>,
include <tunables/global>

/usr/bin/rootlesskit flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.bin.rootlesskit>
}

So, maybe, no further action is needed on Docker's side.

AkihiroSuda avatar Oct 12 '23 05:10 AkihiroSuda

Oh! I somehow missed this one; are we good, or are some changes still needed (for other distros?)

thaJeztah avatar Apr 12 '24 08:04 thaJeztah

IIUC no action is needed

AkihiroSuda avatar Apr 12 '24 18:04 AkihiroSuda