The LSMs respecting the nnp flag was actually mandated by Linus. So yes it breaks apparmor.
Kernel 3.5: Tasks that have nnp block apparmor policy transitions except for unconfined, as transitions in that case always result in reduced permissions. Kernel 4.13: Loosened these restrictions around stacking. That is a transition adding a new element to a stack was allowed as that is guarenteed to always reduce permissions. Ubuntu had this in Xenial (4.4) kernels. Kernel 4.17: AppArmor began tracking under what label nnp was set and using that for profile transition tests. This improved the 4.13 stacking test making containers capable of transitioning policy in the container as long as the host policy wasn't transitioned. To do more apparmor has to be able to override nnp. Selinux has managed to add an nnp override permission and get it upstream, we are looking to do the same with apparmor but I have no time line as to when it will land. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1844186/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
