Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:dump-features-add-apparmor-unprivileged-userns-restrictions into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. dump-features-add-apparmor-unprivileged-userns-restrictions
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: c934b16031ebb014191fc6b8cdb8bf461ee21c7d
Proposed branch: ~alexmurray/ubuntu-cve-tracker:dump-features-add-apparmor-unprivileged-userns-restrictions
Merge into: ubuntu-cve-tracker:master
Diff against target: 25 lines (+7/-0)
1 file modified
scripts/dump-features (+7/-0)
Reviewer Review Type Date Requested Status
Alex Murray Approve
John Johansen Pending
Review via email: mp+462914@code.launchpad.net

Description of the change

scripts/dump-features: add apparmor unprivileged userns restrictions

Signed-off-by: Alex Murray <email address hidden>

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

Updated to move this entry to sit under the existing AppArmor entry - https://pasteboard.co/a6YfpHbl8Ns2.png

Revision history for this message
Alex Murray (alexmurray) wrote :

Approved by JJ in mattermost: https://chat.canonical.com/canonical/pl/1ph5zp4h3inobjwj96j3iynokr

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/dump-features b/scripts/dump-features
2index 4d49621..03df503 100755
3--- a/scripts/dump-features
4+++ b/scripts/dump-features
5@@ -143,6 +143,10 @@ Starting with Ubuntu 16.10, AppArmor can "stack" profiles so that the mediation
6
7 See [[https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py|test-apparmor.py]] and [[https://git.launchpad.net/qa-regression-testing/tree/scripts/test-kernel-security.py|test-kernel-security.py]] for regression tests.
8 ''' },
9+ { 'name':'apparmor-unprivileged-userns-restrictions', 'short':'AppArmor unprivileged user namespace restrictions',
10+ 'depth': 1,
11+ 'desc':
12+'''Starting with Ubuntu 23.10, AppArmor provides support for denying unprivileged applications the use of user namespaces. This prevents an unprivileged application from making use of a user namespace to gain access to additional capabilities and various kernel subsystems which present an additional attack surface. Applications which do require legitimate unprivileged access to user namespaces are designated by an appropriate AppArmor profile. Starting with Ubuntu 24.04 this is enabled by default.''' },
13 { 'name':'selinux', 'short':'SELinux',
14 'depth': 1,
15 'desc':
16@@ -581,6 +585,9 @@ add_status('apparmor', 'impish', '3.0.3', DEFAULT)
17 add_status('apparmor', 'jammy', '3.0.4', DEFAULT)
18 add_status('apparmor', 'kinetic', '3.0.7', DEFAULT)
19
20+add_status('apparmor-unprivileged-userns-restrictions', 'mantic', 'kernel & userspace', AVAILABLE)
21+add_status('apparmor-unprivileged-userns-restrictions', 'noble', 'kernel & userspace', DEFAULT)
22+
23 add_status('selinux', 'hardy', 'universe', AVAILABLE)
24
25 add_status('smack', 'intrepid', 'kernel', AVAILABLE)

Subscribers

People subscribed via source and target branches