diff options
| author | John Johansen <[email protected]> | 2022-09-09 23:00:09 +0000 |
|---|---|---|
| committer | John Johansen <[email protected]> | 2023-10-18 22:49:02 +0000 |
| commit | fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5 (patch) | |
| tree | dc093ea12c7ae548e981bc1f675d7f974a6366f0 /security/apparmor/audit.c | |
| parent | apparmor: allow restricting unprivileged change_profile (diff) | |
| download | kernel-fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5.tar.gz kernel-fa9b63adabcfa9b724120ef3352cf6fb82b4b9a5.zip | |
apparmor: add user namespace creation mediation
Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.
This allows an admin to quickly lock down a system while also still
allowing legitimate use.
Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>
Diffstat (limited to 'security/apparmor/audit.c')
| -rw-r--r-- | security/apparmor/audit.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 6933cb2f679b..3b24f4a8c727 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -58,7 +58,7 @@ static const char *const aa_class_names[] = { "io_uring", "module", "lsm", - "unknown", + "namespace", "unknown", "unknown", "unknown", |