lp:~apparmor-dev/apparmor-kernel/+git/apparmor-kernel

Author: John Johansen
Author Date: 2023-10-11 07:48:13 UTC

UBUNTU: SAUCE: apparmor: open userns related sysctl so lxc can check if restriction are in place

BugLink: http://bugs.launchpad.net/bugs/2040194
https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like

  unshare true

to test if the restrictions are being enforced.

Ideally access to this information would be restricted so that any
unknown access would be logged, but lxc/d currently aren't ready for
this so in order to _not_ force lxc/d to probe whether enforcement is
enabled, open up read access to the sysctls for unprivileged user
namespace mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>