[lxc-devel] [PATCH] apparmor: deny writes to most of /proc/sys
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Apr 1 23:14:17 UTC 2014
Allow writes to kernel.shm*, net.*, kernel/domainname and
kernel/hostname,
Also fix a bug in the lxc-generate-aa-rules.py script in a
path which wasn't being exercised before, which returned a
path element rather than its child.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
config/apparmor/abstractions/container-base | 36 +++++++++++++++++++++++++----
config/apparmor/container-rules | 36 +++++++++++++++++++++++++----
config/apparmor/container-rules.base | 5 +++-
config/apparmor/lxc-generate-aa-rules.py | 8 +++++--
4 files changed, 74 insertions(+), 11 deletions(-)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index d094aab..6221a73 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -44,10 +44,38 @@
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
# generated by: lxc-generate-aa-rules.py container-rules.base
- deny /proc/sys/kernel/[^s]*{,/**} wklx,
- deny /proc/sys/kernel/s[^h]*{,/**} wklx,
- deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
- deny /proc/sys/kernel/shm*/** wklx,
+ deny /proc/sys//[^kn]*{,/**} wklx,
+ deny /proc/sys//k[^e]*{,/**} wklx,
+ deny /proc/sys//ke[^r]*{,/**} wklx,
+ deny /proc/sys//ker[^n]*{,/**} wklx,
+ deny /proc/sys//kern[^e]*{,/**} wklx,
+ deny /proc/sys//kerne[^l]*{,/**} wklx,
+ deny /proc/sys//kernel/[^shd]*{,/**} wklx,
+ deny /proc/sys//kernel/d[^o]*{,/**} wklx,
+ deny /proc/sys//kernel/do[^m]*{,/**} wklx,
+ deny /proc/sys//kernel/dom[^a]*{,/**} wklx,
+ deny /proc/sys//kernel/doma[^i]*{,/**} wklx,
+ deny /proc/sys//kernel/domai[^n]*{,/**} wklx,
+ deny /proc/sys//kernel/domain[^n]*{,/**} wklx,
+ deny /proc/sys//kernel/domainn[^a]*{,/**} wklx,
+ deny /proc/sys//kernel/domainna[^m]*{,/**} wklx,
+ deny /proc/sys//kernel/domainnam[^e]*{,/**} wklx,
+ deny /proc/sys//kernel/domainname?*{,/**} wklx,
+ deny /proc/sys//kernel/h[^o]*{,/**} wklx,
+ deny /proc/sys//kernel/ho[^s]*{,/**} wklx,
+ deny /proc/sys//kernel/hos[^t]*{,/**} wklx,
+ deny /proc/sys//kernel/host[^n]*{,/**} wklx,
+ deny /proc/sys//kernel/hostn[^a]*{,/**} wklx,
+ deny /proc/sys//kernel/hostna[^m]*{,/**} wklx,
+ deny /proc/sys//kernel/hostnam[^e]*{,/**} wklx,
+ deny /proc/sys//kernel/hostname?*{,/**} wklx,
+ deny /proc/sys//kernel/s[^h]*{,/**} wklx,
+ deny /proc/sys//kernel/sh[^m]*{,/**} wklx,
+ deny /proc/sys//kernel/shm*/** wklx,
+ deny /proc/sys//kernel?*{,/**} wklx,
+ deny /proc/sys//n[^e]*{,/**} wklx,
+ deny /proc/sys//ne[^t]*{,/**} wklx,
+ deny /proc/sys//net?*{,/**} wklx,
deny /sys/[^fdc]*{,/**} wklx,
deny /sys/c[^l]*{,/**} wklx,
deny /sys/cl[^a]*{,/**} wklx,
diff --git a/config/apparmor/container-rules b/config/apparmor/container-rules
index 47dd4c2..9bb6c7b 100644
--- a/config/apparmor/container-rules
+++ b/config/apparmor/container-rules
@@ -1,8 +1,36 @@
# generated by: lxc-generate-aa-rules.py container-rules.base
- deny /proc/sys/kernel/[^s]*{,/**} wklx,
- deny /proc/sys/kernel/s[^h]*{,/**} wklx,
- deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
- deny /proc/sys/kernel/shm*/** wklx,
+ deny /proc/sys//[^kn]*{,/**} wklx,
+ deny /proc/sys//k[^e]*{,/**} wklx,
+ deny /proc/sys//ke[^r]*{,/**} wklx,
+ deny /proc/sys//ker[^n]*{,/**} wklx,
+ deny /proc/sys//kern[^e]*{,/**} wklx,
+ deny /proc/sys//kerne[^l]*{,/**} wklx,
+ deny /proc/sys//kernel/[^shd]*{,/**} wklx,
+ deny /proc/sys//kernel/d[^o]*{,/**} wklx,
+ deny /proc/sys//kernel/do[^m]*{,/**} wklx,
+ deny /proc/sys//kernel/dom[^a]*{,/**} wklx,
+ deny /proc/sys//kernel/doma[^i]*{,/**} wklx,
+ deny /proc/sys//kernel/domai[^n]*{,/**} wklx,
+ deny /proc/sys//kernel/domain[^n]*{,/**} wklx,
+ deny /proc/sys//kernel/domainn[^a]*{,/**} wklx,
+ deny /proc/sys//kernel/domainna[^m]*{,/**} wklx,
+ deny /proc/sys//kernel/domainnam[^e]*{,/**} wklx,
+ deny /proc/sys//kernel/domainname?*{,/**} wklx,
+ deny /proc/sys//kernel/h[^o]*{,/**} wklx,
+ deny /proc/sys//kernel/ho[^s]*{,/**} wklx,
+ deny /proc/sys//kernel/hos[^t]*{,/**} wklx,
+ deny /proc/sys//kernel/host[^n]*{,/**} wklx,
+ deny /proc/sys//kernel/hostn[^a]*{,/**} wklx,
+ deny /proc/sys//kernel/hostna[^m]*{,/**} wklx,
+ deny /proc/sys//kernel/hostnam[^e]*{,/**} wklx,
+ deny /proc/sys//kernel/hostname?*{,/**} wklx,
+ deny /proc/sys//kernel/s[^h]*{,/**} wklx,
+ deny /proc/sys//kernel/sh[^m]*{,/**} wklx,
+ deny /proc/sys//kernel/shm*/** wklx,
+ deny /proc/sys//kernel?*{,/**} wklx,
+ deny /proc/sys//n[^e]*{,/**} wklx,
+ deny /proc/sys//ne[^t]*{,/**} wklx,
+ deny /proc/sys//net?*{,/**} wklx,
deny /sys/[^fdc]*{,/**} wklx,
deny /sys/c[^l]*{,/**} wklx,
deny /sys/cl[^a]*{,/**} wklx,
diff --git a/config/apparmor/container-rules.base b/config/apparmor/container-rules.base
index e16d874..6b578ba 100644
--- a/config/apparmor/container-rules.base
+++ b/config/apparmor/container-rules.base
@@ -6,5 +6,8 @@ block /sys
allow /sys/fs/cgroup/**
allow /sys/devices/virtual/net/**
allow /sys/class/net/**
-block /proc/sys/kernel
+block /proc/sys/
allow /proc/sys/kernel/shm*
+allow /proc/sys/kernel/hostname
+allow /proc/sys/kernel/domainname
+allow /proc/sys/net/**
diff --git a/config/apparmor/lxc-generate-aa-rules.py b/config/apparmor/lxc-generate-aa-rules.py
index 34518cf..66fca41 100755
--- a/config/apparmor/lxc-generate-aa-rules.py
+++ b/config/apparmor/lxc-generate-aa-rules.py
@@ -25,11 +25,14 @@ def add_block(path):
return
blocks.append({'path': path.strip(), 'children': []})
-
+# @prev is an array of dicts which containing 'path' and
+# 'children'. @path is a string. We are looking for an entry
+# in @prev which contains @path, and will return it's
+# children array.
def child_get(prev, path):
for p in prev:
if p['path'] == path:
- return p
+ return p['children']
return None
@@ -40,6 +43,7 @@ def add_allow(path):
l = len(b['path'])
if len(path) <= l:
continue
+ # TODO - should we find the longest match?
if path[0:l] == b['path']:
found = b
break
--
1.9.1
More information about the lxc-devel
mailing list