[lxc-devel] [PATCH] apparmor: deny writes to most of /proc/sys
Stéphane Graber
stgraber at ubuntu.com
Wed Apr 2 01:25:29 UTC 2014
On Tue, Apr 01, 2014 at 08:17:44PM -0500, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > ^ Looks like you want /proc/sys instead to avoid the // in the output.
>
> Good point (though it shouldn't hurt anything), here's an update:
>
> From 60ac73c8f58354917c06e446035038ae3f84d5c3 Mon Sep 17 00:00:00 2001
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
> Date: Wed, 2 Apr 2014 01:03:07 +0200
> Subject: [PATCH 1/1] apparmor: deny writes to most of /proc/sys (v2)
>
> Allow writes to kernel.shm*, net.*, kernel/domainname and
> kernel/hostname,
>
> Also fix a bug in the lxc-generate-aa-rules.py script in a
> path which wasn't being exercised before, which returned a
> path element rather than its child.
>
> Changelog (v2): remove trailing / from block path
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> config/apparmor/abstractions/container-base | 30 ++++++++++++++++++++++++++++-
> config/apparmor/container-rules | 30 ++++++++++++++++++++++++++++-
> config/apparmor/container-rules.base | 5 ++++-
> config/apparmor/lxc-generate-aa-rules.py | 8 ++++++--
> 4 files changed, 68 insertions(+), 5 deletions(-)
>
> diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
> index d094aab..6a44e43 100644
> --- a/config/apparmor/abstractions/container-base
> +++ b/config/apparmor/abstractions/container-base
> @@ -44,10 +44,38 @@
> mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
>
> # generated by: lxc-generate-aa-rules.py container-rules.base
> - deny /proc/sys/kernel/[^s]*{,/**} wklx,
> + deny /proc/sys/[^kn]*{,/**} wklx,
> + deny /proc/sys/k[^e]*{,/**} wklx,
> + deny /proc/sys/ke[^r]*{,/**} wklx,
> + deny /proc/sys/ker[^n]*{,/**} wklx,
> + deny /proc/sys/kern[^e]*{,/**} wklx,
> + deny /proc/sys/kerne[^l]*{,/**} wklx,
> + deny /proc/sys/kernel/[^shd]*{,/**} wklx,
> + deny /proc/sys/kernel/d[^o]*{,/**} wklx,
> + deny /proc/sys/kernel/do[^m]*{,/**} wklx,
> + deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
> + deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
> + deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
> + deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
> + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
> + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
> + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
> + deny /proc/sys/kernel/domainname?*{,/**} wklx,
> + deny /proc/sys/kernel/h[^o]*{,/**} wklx,
> + deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
> + deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
> + deny /proc/sys/kernel/host[^n]*{,/**} wklx,
> + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
> + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
> + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
> + deny /proc/sys/kernel/hostname?*{,/**} wklx,
> deny /proc/sys/kernel/s[^h]*{,/**} wklx,
> deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
> deny /proc/sys/kernel/shm*/** wklx,
> + deny /proc/sys/kernel?*{,/**} wklx,
> + deny /proc/sys/n[^e]*{,/**} wklx,
> + deny /proc/sys/ne[^t]*{,/**} wklx,
> + deny /proc/sys/net?*{,/**} wklx,
> deny /sys/[^fdc]*{,/**} wklx,
> deny /sys/c[^l]*{,/**} wklx,
> deny /sys/cl[^a]*{,/**} wklx,
> diff --git a/config/apparmor/container-rules b/config/apparmor/container-rules
> index 47dd4c2..2c8c0b4 100644
> --- a/config/apparmor/container-rules
> +++ b/config/apparmor/container-rules
> @@ -1,8 +1,36 @@
> # generated by: lxc-generate-aa-rules.py container-rules.base
> - deny /proc/sys/kernel/[^s]*{,/**} wklx,
> + deny /proc/sys/[^kn]*{,/**} wklx,
> + deny /proc/sys/k[^e]*{,/**} wklx,
> + deny /proc/sys/ke[^r]*{,/**} wklx,
> + deny /proc/sys/ker[^n]*{,/**} wklx,
> + deny /proc/sys/kern[^e]*{,/**} wklx,
> + deny /proc/sys/kerne[^l]*{,/**} wklx,
> + deny /proc/sys/kernel/[^shd]*{,/**} wklx,
> + deny /proc/sys/kernel/d[^o]*{,/**} wklx,
> + deny /proc/sys/kernel/do[^m]*{,/**} wklx,
> + deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
> + deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
> + deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
> + deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
> + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
> + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
> + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
> + deny /proc/sys/kernel/domainname?*{,/**} wklx,
> + deny /proc/sys/kernel/h[^o]*{,/**} wklx,
> + deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
> + deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
> + deny /proc/sys/kernel/host[^n]*{,/**} wklx,
> + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
> + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
> + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
> + deny /proc/sys/kernel/hostname?*{,/**} wklx,
> deny /proc/sys/kernel/s[^h]*{,/**} wklx,
> deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
> deny /proc/sys/kernel/shm*/** wklx,
> + deny /proc/sys/kernel?*{,/**} wklx,
> + deny /proc/sys/n[^e]*{,/**} wklx,
> + deny /proc/sys/ne[^t]*{,/**} wklx,
> + deny /proc/sys/net?*{,/**} wklx,
> deny /sys/[^fdc]*{,/**} wklx,
> deny /sys/c[^l]*{,/**} wklx,
> deny /sys/cl[^a]*{,/**} wklx,
> diff --git a/config/apparmor/container-rules.base b/config/apparmor/container-rules.base
> index e16d874..615f015 100644
> --- a/config/apparmor/container-rules.base
> +++ b/config/apparmor/container-rules.base
> @@ -6,5 +6,8 @@ block /sys
> allow /sys/fs/cgroup/**
> allow /sys/devices/virtual/net/**
> allow /sys/class/net/**
> -block /proc/sys/kernel
> +block /proc/sys
> allow /proc/sys/kernel/shm*
> +allow /proc/sys/kernel/hostname
> +allow /proc/sys/kernel/domainname
> +allow /proc/sys/net/**
> diff --git a/config/apparmor/lxc-generate-aa-rules.py b/config/apparmor/lxc-generate-aa-rules.py
> index 34518cf..66fca41 100755
> --- a/config/apparmor/lxc-generate-aa-rules.py
> +++ b/config/apparmor/lxc-generate-aa-rules.py
> @@ -25,11 +25,14 @@ def add_block(path):
> return
> blocks.append({'path': path.strip(), 'children': []})
>
> -
> +# @prev is an array of dicts which containing 'path' and
> +# 'children'. @path is a string. We are looking for an entry
> +# in @prev which contains @path, and will return it's
> +# children array.
> def child_get(prev, path):
> for p in prev:
> if p['path'] == path:
> - return p
> + return p['children']
> return None
>
>
> @@ -40,6 +43,7 @@ def add_allow(path):
> l = len(b['path'])
> if len(path) <= l:
> continue
> + # TODO - should we find the longest match?
> if path[0:l] == b['path']:
> found = b
> break
> --
> 1.9.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140401/602164d0/attachment.pgp>
More information about the lxc-devel
mailing list