diff options
| author | John Johansen <john.johansen@canonical.com> | 2022-09-09 16:00:09 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2023-10-18 15:49:02 -0700 |
| commit | fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5 (patch) | |
| tree | dc093ea12c7ae548e981bc1f675d7f974a6366f0 /security/apparmor/audit.c | |
| parent | 2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc (diff) | |
apparmor: add user namespace creation mediation
Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.
This allows an admin to quickly lock down a system while also still
allowing legitimate use.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/audit.c')
| -rw-r--r-- | security/apparmor/audit.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 6933cb2f679b..3b24f4a8c727 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -58,7 +58,7 @@ static const char *const aa_class_names[] = { "io_uring", "module", "lsm", - "unknown", + "namespace", "unknown", "unknown", "unknown", |