From 4ceb89072312ceba088af9271cc1287fab074aa3 Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Fri, 5 Jun 2026 21:10:27 +0100 Subject: [PATCH 1/3] Add sysctl_kernel_apparmor_restrict_unprivileged_unconfined rule Add a new rule and variable to enforce kernel.apparmor_restrict_unprivileged_unconfined=1 via the sysctl template. This sysctl prevents unprivileged processes from loading AppArmor profiles without confinement, reducing the local attack surface. Map the new rule to the apparmor component. Co-Authored-By: Claude Sonnet 4.6 --- components/apparmor.yml | 1 + .../rule.yml | 27 +++++++++++++++++++ ...restrict_unprivileged_unconfined_value.var | 17 ++++++++++++ 3 files changed, 45 insertions(+) create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var diff --git a/components/apparmor.yml b/components/apparmor.yml index 9f2e000260e9..770f9d537214 100644 --- a/components/apparmor.yml +++ b/components/apparmor.yml @@ -12,3 +12,4 @@ rules: - package_apparmor_installed - package_apparmor-utils_installed - package_pam_apparmor_installed +- sysctl_kernel_apparmor_restrict_unprivileged_unconfined diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml new file mode 100644 index 000000000000..8a9a50f70d4c --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +title: 'Enable kernel.apparmor_restrict_unprivileged_unconfined' + +description: '{{{ describe_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}' + +rationale: |- + Restricting unprivileged unconfined processes with AppArmor reduces the + attack surface available to local users and helps enforce additional + kernel-level hardening. + +severity: medium + +{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}} + +fixtext: |- + Configure {{{ full_name }}} to enable AppArmor restrictions for + unprivileged unconfined processes. + {{{ fixtext_sysctl("kernel.apparmor_restrict_unprivileged_unconfined", "1") | indent(4) }}} + +platform: system_with_kernel + +template: + name: sysctl + vars: + sysctlvar: kernel.apparmor_restrict_unprivileged_unconfined + datatype: int diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var new file mode 100644 index 000000000000..bc933c4a36d9 --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var @@ -0,0 +1,17 @@ +documentation_complete: true + +title: kernel.apparmor_restrict_unprivileged_unconfined + +description: |- + Prevent unprivileged and unconfined processes. + +type: number + +operator: equals + +interactive: false + +options: + default: 1 + 1: "1" + 2: "2" From 74e120ef166488d57232f7f47c4f9782b3bc44d6 Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Mon, 8 Jun 2026 19:17:04 +0100 Subject: [PATCH 2/3] Fix sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var options Replace invalid value 2 with 0; this sysctl is a boolean (0=disabled, 1=enabled) and 2 is not a valid kernel value. Co-Authored-By: Claude Sonnet 4.6 --- ...l_kernel_apparmor_restrict_unprivileged_unconfined_value.var | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var index bc933c4a36d9..3a26de30e60a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var @@ -13,5 +13,5 @@ interactive: false options: default: 1 + 0: "0" 1: "1" - 2: "2" From 6fa5a16e4b467a40a66186593ed8c0bf27cf3b31 Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Tue, 9 Jun 2026 22:00:21 +0100 Subject: [PATCH 3/3] Move sysctl_kernel_apparmor_restrict_unprivileged_unconfined to kernel component Rules using the sysctl template must be assigned to the kernel component. Co-Authored-By: Claude Sonnet 4.6 --- components/apparmor.yml | 2 +- components/kernel.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/components/apparmor.yml b/components/apparmor.yml index 770f9d537214..1555f4ad7504 100644 --- a/components/apparmor.yml +++ b/components/apparmor.yml @@ -12,4 +12,4 @@ rules: - package_apparmor_installed - package_apparmor-utils_installed - package_pam_apparmor_installed -- sysctl_kernel_apparmor_restrict_unprivileged_unconfined + diff --git a/components/kernel.yml b/components/kernel.yml index ef50ac95e91e..08aeeb0c1d2e 100644 --- a/components/kernel.yml +++ b/components/kernel.yml @@ -132,6 +132,7 @@ rules: - sysctl_fs_protected_regular - sysctl_fs_protected_symlinks - sysctl_fs_suid_dumpable +- sysctl_kernel_apparmor_restrict_unprivileged_unconfined - sysctl_kernel_core_pattern - sysctl_kernel_core_pattern_empty_string - sysctl_kernel_core_uses_pid