Understanding AppArmor User Namespace Restriction

By /

Listen to this Post

AppArmor is a Linux kernel security module that allows administrators to restrict programs’ capabilities with per-program profiles. Ubuntu has recently restricted unprivileged user namespaces using AppArmor to mitigate vulnerabilities, especially after recent Qualys bypasses.

You Should Know:

1. Check AppArmor Status

Verify if AppArmor is enabled:

sudo apparmor_status

2. Enforce User Namespace Restrictions

Ubuntu’s default AppArmor policy now includes restrictions. To ensure it’s active: 

cat /etc/apparmor.d/usr.bin.echo | grep userns

3. Disable Unprivileged User Namespaces (Kernel Parameter)

Add the following kernel parameter to disable unprivileged user namespaces: 

sudo sysctl kernel.unprivileged_userns_clone=0

Make it persistent:

echo "kernel.unprivileged_userns_clone=0" | sudo tee /etc/sysctl.d/99-disable-unprivileged-userns.conf 
sudo sysctl -p /etc/sysctl.d/99-disable-unprivileged-userns.conf

4. Custom AppArmor Profile for User Namespace Restrictions

Create a custom profile (`/etc/apparmor.d/no-unpriv-userns`):

profile no-unpriv-userns flags=(attach_disconnected,mediate_deleted) { 
userns, 
deny /proc//ns/user rw, 
deny /sys/kernel/uevent_helper rw, 
}

Load the profile:

sudo apparmor_parser -r /etc/apparmor.d/no-unpriv-userns

5. Verify User Namespace Blocking

Test if unprivileged namespaces are blocked:

unshare --user /bin/bash

If restricted, you’ll see an AppArmor denial.

6. Monitor AppArmor Denials

Check logs for denials:

sudo dmesg | grep apparmor

Or use `aa-logprof` to update profiles:

sudo aa-logprof

What Undercode Say

Ubuntu’s move to restrict unprivileged user namespaces via AppArmor is a strong security measure against container escapes and privilege escalation. However, sysadmins must ensure proper enforcement through kernel parameters, custom profiles, and monitoring.

Expected Output:

  • AppArmor denials logged in `dmesg` when unprivileged userns is blocked.
  • Failed `unshare` commands if restrictions are active.
  • Persistent security via `/etc/sysctl.d/` configurations.

Reference:

Understanding AppArmor User Namespace Restriction

References:

Reported By: Maxime Belair – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: