Skip to content

Add sysctl_kernel_apparmor_restrict_unprivileged_unconfined rule#14769

Open
israel-villar wants to merge 3 commits into
ComplianceAsCode:masterfrom
israel-villar:feat/apparmor-sysctl-restrict-unprivileged
Open

Add sysctl_kernel_apparmor_restrict_unprivileged_unconfined rule#14769
israel-villar wants to merge 3 commits into
ComplianceAsCode:masterfrom
israel-villar:feat/apparmor-sysctl-restrict-unprivileged

Conversation

@israel-villar

@israel-villar israel-villar commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Add a new rule and variable to enforce
kernel.apparmor_restrict_unprivileged_unconfined=1 via the sysctl template. This sysctl prevents unprivileged processes from loading AppArmor profiles without confinement, reducing the local attack surface. Map the new rule to the apparmor component.

Description:

  • Add new rule sysctl_kernel_apparmor_restrict_unprivileged_unconfined
    and its associated variable
    sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
    to enforce kernel.apparmor_restrict_unprivileged_unconfined=1.
  • Uses the sysctl template.
  • Map the new rule to the apparmor component.

Rationale:

  • When kernel.apparmor_restrict_unprivileged_unconfined is set to 1,
    unprivileged processes are prevented from loading AppArmor profiles
    without confinement. This reduces the local attack surface by limiting
    what an unprivileged user can do with AppArmor.

Review Hints:

  • One new rule directory and one .var file under
    linux_os/guide/system/permissions/restrictions/.
  • Build to verify: ./build_product debian13 --datastream-only

@israel-villar @claude
Add sysctl_kernel_apparmor_restrict_unprivileged_unconfined rule
4ceb890 
Add a new rule and variable to enforce
kernel.apparmor_restrict_unprivileged_unconfined=1 via the sysctl
template. This sysctl prevents unprivileged processes from loading
AppArmor profiles without confinement, reducing the local attack surface.
Map the new rule to the apparmor component.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@openshift-ci

openshift-ci Bot commented Jun 5, 2026

Copy link
Copy Markdown

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jun 5, 2026
jan-cerny
jan-cerny reviewed Jun 8, 2026
View reviewed changes
Comment thread ...m/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var Outdated
options:
default: 1
1: "1"
2: "2"

@jan-cerny jan-cerny Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is 2 a valid value for this sysctl item? Shouldn't the choice be 0 and 1?

@israel-villar israel-villar Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, kernel.apparmor_restrict_unprivileged_unconfined is a boolean — 0 (disabled) and 1 enabled). The value 2 was mistakenly copied from a similar variable (sysctl_kernel_unprivileged_bpf_disabled) that does accept 1 and 2. Fixed in the latest commit.

@jan-cerny jan-cerny self-assigned this Jun 8, 2026
@israel-villar @claude
Fix sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var…
74e120e 
… options

Replace invalid value 2 with 0; this sysctl is a boolean (0=disabled,
1=enabled) and 2 is not a valid kernel value.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jan-cerny

jan-cerny commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

@israel-villar CI fails

102/261 Test #100: components .......................................................***Failed    0.70 sec
Rule 'sysctl_kernel_apparmor_restrict_unprivileged_unconfined' must be assigned to component 'kernel', because all rules using template 'sysctl' must be assigned to component 'kernel'.

@jan-cerny jan-cerny added this to the 0.1.82 milestone Jun 9, 2026
@israel-villar @claude
Move sysctl_kernel_apparmor_restrict_unprivileged_unconfined to kerne…
6fa5a16 
…l component

Rules using the sysctl template must be assigned to the kernel component.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@israel-villar

israel-villar commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

@israel-villar CI fails

102/261 Test #100: components .......................................................***Failed    0.70 sec
Rule 'sysctl_kernel_apparmor_restrict_unprivileged_unconfined' must be assigned to component 'kernel', because all rules using template 'sysctl' must be assigned to component 'kernel'.

Moved sysctl_kernel_apparmor_restrict_unprivileged_unconfined from components/apparmor.yml to components/kernel.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@jan-cerny jan-cerny

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

2 participants

@israel-villar @jan-cerny