[lxc-devel] [PATCH] apparmor: deny writes to most of /proc/sys

Stéphane Graber stgraber at ubuntu.com
Wed Apr 2 01:25:29 UTC 2014 

On Tue, Apr 01, 2014 at 08:17:44PM -0500, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > ^ Looks like you want /proc/sys instead to avoid the // in the output.
> 
> Good point (though it shouldn't hurt anything), here's an update:
> 
> From 60ac73c8f58354917c06e446035038ae3f84d5c3 Mon Sep 17 00:00:00 2001
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
> Date: Wed, 2 Apr 2014 01:03:07 +0200
> Subject: [PATCH 1/1] apparmor: deny writes to most of /proc/sys (v2)
> 
> Allow writes to kernel.shm*, net.*, kernel/domainname and
> kernel/hostname,
> 
> Also fix a bug in the lxc-generate-aa-rules.py script in a
> path which wasn't being exercised before, which returned a
> path element rather than its child.
> 
> Changelog (v2): remove trailing / from block path
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  config/apparmor/abstractions/container-base | 30 ++++++++++++++++++++++++++++-
>  config/apparmor/container-rules             | 30 ++++++++++++++++++++++++++++-
>  config/apparmor/container-rules.base        |  5 ++++-
>  config/apparmor/lxc-generate-aa-rules.py    |  8 ++++++--
>  4 files changed, 68 insertions(+), 5 deletions(-)
> 
> diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
> index d094aab..6a44e43 100644
> --- a/config/apparmor/abstractions/container-base
> +++ b/config/apparmor/abstractions/container-base
> @@ -44,10 +44,38 @@
>    mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
>  
>    # generated by: lxc-generate-aa-rules.py container-rules.base
> -  deny /proc/sys/kernel/[^s]*{,/**} wklx,
> +  deny /proc/sys/[^kn]*{,/**} wklx,
> +  deny /proc/sys/k[^e]*{,/**} wklx,
> +  deny /proc/sys/ke[^r]*{,/**} wklx,
> +  deny /proc/sys/ker[^n]*{,/**} wklx,
> +  deny /proc/sys/kern[^e]*{,/**} wklx,
> +  deny /proc/sys/kerne[^l]*{,/**} wklx,
> +  deny /proc/sys/kernel/[^shd]*{,/**} wklx,
> +  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
> +  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
> +  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
> +  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
> +  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
> +  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
> +  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
> +  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
> +  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
> +  deny /proc/sys/kernel/domainname?*{,/**} wklx,
> +  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
> +  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
> +  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
> +  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
> +  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
> +  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
> +  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
> +  deny /proc/sys/kernel/hostname?*{,/**} wklx,
>    deny /proc/sys/kernel/s[^h]*{,/**} wklx,
>    deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
>    deny /proc/sys/kernel/shm*/** wklx,
> +  deny /proc/sys/kernel?*{,/**} wklx,
> +  deny /proc/sys/n[^e]*{,/**} wklx,
> +  deny /proc/sys/ne[^t]*{,/**} wklx,
> +  deny /proc/sys/net?*{,/**} wklx,
>    deny /sys/[^fdc]*{,/**} wklx,
>    deny /sys/c[^l]*{,/**} wklx,
>    deny /sys/cl[^a]*{,/**} wklx,
> diff --git a/config/apparmor/container-rules b/config/apparmor/container-rules
> index 47dd4c2..2c8c0b4 100644
> --- a/config/apparmor/container-rules
> +++ b/config/apparmor/container-rules
> @@ -1,8 +1,36 @@
>    # generated by: lxc-generate-aa-rules.py container-rules.base
> -  deny /proc/sys/kernel/[^s]*{,/**} wklx,
> +  deny /proc/sys/[^kn]*{,/**} wklx,
> +  deny /proc/sys/k[^e]*{,/**} wklx,
> +  deny /proc/sys/ke[^r]*{,/**} wklx,
> +  deny /proc/sys/ker[^n]*{,/**} wklx,
> +  deny /proc/sys/kern[^e]*{,/**} wklx,
> +  deny /proc/sys/kerne[^l]*{,/**} wklx,
> +  deny /proc/sys/kernel/[^shd]*{,/**} wklx,
> +  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
> +  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
> +  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
> +  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
> +  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
> +  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
> +  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
> +  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
> +  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
> +  deny /proc/sys/kernel/domainname?*{,/**} wklx,
> +  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
> +  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
> +  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
> +  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
> +  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
> +  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
> +  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
> +  deny /proc/sys/kernel/hostname?*{,/**} wklx,
>    deny /proc/sys/kernel/s[^h]*{,/**} wklx,
>    deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
>    deny /proc/sys/kernel/shm*/** wklx,
> +  deny /proc/sys/kernel?*{,/**} wklx,
> +  deny /proc/sys/n[^e]*{,/**} wklx,
> +  deny /proc/sys/ne[^t]*{,/**} wklx,
> +  deny /proc/sys/net?*{,/**} wklx,
>    deny /sys/[^fdc]*{,/**} wklx,
>    deny /sys/c[^l]*{,/**} wklx,
>    deny /sys/cl[^a]*{,/**} wklx,
> diff --git a/config/apparmor/container-rules.base b/config/apparmor/container-rules.base
> index e16d874..615f015 100644
> --- a/config/apparmor/container-rules.base
> +++ b/config/apparmor/container-rules.base
> @@ -6,5 +6,8 @@ block /sys
>  allow /sys/fs/cgroup/**
>  allow /sys/devices/virtual/net/**
>  allow /sys/class/net/**
> -block /proc/sys/kernel
> +block /proc/sys
>  allow /proc/sys/kernel/shm*
> +allow /proc/sys/kernel/hostname
> +allow /proc/sys/kernel/domainname
> +allow /proc/sys/net/**
> diff --git a/config/apparmor/lxc-generate-aa-rules.py b/config/apparmor/lxc-generate-aa-rules.py
> index 34518cf..66fca41 100755
> --- a/config/apparmor/lxc-generate-aa-rules.py
> +++ b/config/apparmor/lxc-generate-aa-rules.py
> @@ -25,11 +25,14 @@ def add_block(path):
>              return
>      blocks.append({'path': path.strip(), 'children': []})
>  
> -
> +# @prev is an array of dicts which containing 'path' and
> +# 'children'.  @path is a string.  We are looking for an entry
> +# in @prev which contains @path, and will return it's 
> +# children array.
>  def child_get(prev, path):
>      for p in prev:
>          if p['path'] == path:
> -            return p
> +            return p['children']
>      return None
>  
>  
> @@ -40,6 +43,7 @@ def add_allow(path):
>          l = len(b['path'])
>          if len(path) <= l:
>              continue
> +        # TODO - should we find the longest match?
>          if path[0:l] == b['path']:
>              found = b
>              break
> -- 
> 1.9.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140401/602164d0/attachment.pgp>

More information about the lxc-devel mailing list