apparmor: add user namespace creation mediation

Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.

This allows an admin to quickly lock down a system while also still
allowing legitimate use.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

3 files changed, 8 insertions, 0 deletions

diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index 8a81557c9d59..e2b759f24064 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -33,6 +33,7 @@
 #define AA_CLASS_IO_URING	18
 #define AA_CLASS_MODULE		19
 #define AA_CLASS_DISPLAY_LSM	20
+#define AA_CLASS_NS		21
 
 #define AA_CLASS_X		31
 #define AA_CLASS_DBUS		32
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 42d701fec5a6..095707e05b70 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -103,6 +103,7 @@ enum audit_type {
 #define OP_PROF_LOAD "profile_load"
 #define OP_PROF_RM "profile_remove"
 
+#define OP_USERNS_CREATE "userns_create"
 
 struct apparmor_audit_data {
 	int error;
diff --git a/security/apparmor/include/task.h b/security/apparmor/include/task.h
index 13945e2495f0..b1aaaf60fa8b 100644
--- a/security/apparmor/include/task.h
+++ b/security/apparmor/include/task.h
@@ -96,4 +96,10 @@ int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer,
 		  u32 request);
 
 
+
+#define AA_USERNS_CREATE	8
+
+int aa_profile_ns_perm(struct aa_profile *profile,
+		       struct apparmor_audit_data *ad, u32 request);
+
 #endif /* __AA_TASK_H */