From 4ceb89072312ceba088af9271cc1287fab074aa3 Mon Sep 17 00:00:00 2001
From: Israel Villar Boillos <israel.villar@ulpgc.es>
Date: Fri, 5 Jun 2026 21:10:27 +0100
Subject: [PATCH] Add sysctl_kernel_apparmor_restrict_unprivileged_unconfined
 rule

Add a new rule and variable to enforce
kernel.apparmor_restrict_unprivileged_unconfined=1 via the sysctl
template. This sysctl prevents unprivileged processes from loading
AppArmor profiles without confinement, reducing the local attack surface.
Map the new rule to the apparmor component.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 components/apparmor.yml                       |  1 +
 .../rule.yml                                  | 27 +++++++++++++++++++
 ...restrict_unprivileged_unconfined_value.var | 17 ++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var

diff --git a/components/apparmor.yml b/components/apparmor.yml
index 9f2e000260e9..770f9d537214 100644
--- a/components/apparmor.yml
+++ b/components/apparmor.yml
@@ -12,3 +12,4 @@ rules:
 - package_apparmor_installed
 - package_apparmor-utils_installed
 - package_pam_apparmor_installed
+- sysctl_kernel_apparmor_restrict_unprivileged_unconfined
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml
new file mode 100644
index 000000000000..8a9a50f70d4c
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Enable kernel.apparmor_restrict_unprivileged_unconfined'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}'
+
+rationale: |-
+    Restricting unprivileged unconfined processes with AppArmor reduces the
+    attack surface available to local users and helps enforce additional
+    kernel-level hardening.
+
+severity: medium
+
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}
+
+fixtext: |-
+    Configure {{{ full_name }}} to enable AppArmor restrictions for
+    unprivileged unconfined processes.
+    {{{ fixtext_sysctl("kernel.apparmor_restrict_unprivileged_unconfined", "1") | indent(4) }}}
+
+platform: system_with_kernel
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.apparmor_restrict_unprivileged_unconfined
+        datatype: int
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
new file mode 100644
index 000000000000..bc933c4a36d9
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: kernel.apparmor_restrict_unprivileged_unconfined
+
+description: |-
+    Prevent unprivileged and unconfined processes.
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: 1
+    1: "1"
+    2: "2"