[Bug 2151842] Re: aa-rootns.c bypasses apparmor_restrict_unprivileged_userns

** No longer affects: linux (Ubuntu) -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2151842 Title: aa-rootns.c bypasses apparmor_restrict_unprivileged_userns Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: Please find a way to stop https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo/blob/main/aa- rootns.c from working. See also https://bugs.launchpad.net/ubuntu/+source/kmod/+bug/2151831 but the apparmor_restrict_unprivileged_userns bypass is separate from the copy.fail or dirty frag vulnerabilities. This doesn't affect me because I disabled that sysctl to make unshare work, but a fix would reduce the attack surface for others. If a fix isn't readily available, then please disable that sysctl to reduce inconvenience and the illusion of security. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2151842/+subscriptions