apparmor: add user namespace creation mediation - kernel

diff options

author	John Johansen <[email protected]>	2022-09-09 23:00:09 +0000
committer	John Johansen <[email protected]>	2023-10-18 22:49:02 +0000
commit	fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5 (patch)
tree	dc093ea12c7ae548e981bc1f675d7f974a6366f0 /drivers/gpu/drm/amd/amdgpu/atom.c
parent	apparmor: allow restricting unprivileged change_profile (diff)
download	kernel-fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5.tar.gz kernel-fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5.zip

apparmor: add user namespace creation mediation

Unprivileged user namespace creation is often used as a first step in privilege escalation attacks. Instead of disabling it at the sysrq level, which blocks its legitimate use as for setting up a sandbox, allow control on a per domain basis. This allows an admin to quickly lock down a system while also still allowing legitimate use. Reviewed-by: Georgia Garcia <[email protected]> Signed-off-by: John Johansen <[email protected]>

Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/atom.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: