Verification passed for jammy-linux-nvidia-6.5. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*.
georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-1007-nvidia #7-Ubuntu SMP PREEMPT_DYNAMIC Wed Dec 6 01:27:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw------- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw------- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw------- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/unprivileged_bpf_disabled -rw------- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 14:09 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ..... ---------------------------------------------------------------------- Ran 62 tests in 1435.853s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-nvidia-6.5 ** Tags added: verification-done-jammy-linux-nvidia-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
