[lxc-devel] [PATCH] apparmor: Add profiles
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jan 16 22:39:46 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/Makefile.am | 2 +-
> config/apparmor/Makefile.am | 37 ++++++++++++++++
> config/apparmor/abstractions/container-base | 50 ++++++++++++++++++++++
> config/apparmor/abstractions/start-container | 30 +++++++++++++
> config/apparmor/lxc-containers | 7 +++
> config/apparmor/profiles/lxc-default | 11 +++++
> config/apparmor/profiles/lxc-default-debootstrap | 18 ++++++++
> config/apparmor/profiles/lxc-default-with-mounting | 14 ++++++
> config/apparmor/profiles/lxc-default-with-nesting | 13 ++++++
> config/apparmor/usr.bin.lxc-start | 5 +++
> configure.ac | 1 +
> 11 files changed, 187 insertions(+), 1 deletion(-)
> create mode 100644 config/apparmor/Makefile.am
> create mode 100644 config/apparmor/abstractions/container-base
> create mode 100644 config/apparmor/abstractions/start-container
> create mode 100644 config/apparmor/lxc-containers
> create mode 100644 config/apparmor/profiles/lxc-default
> create mode 100644 config/apparmor/profiles/lxc-default-debootstrap
> create mode 100644 config/apparmor/profiles/lxc-default-with-mounting
> create mode 100644 config/apparmor/profiles/lxc-default-with-nesting
> create mode 100644 config/apparmor/usr.bin.lxc-start
>
> diff --git a/config/Makefile.am b/config/Makefile.am
> index 02ba9ce..f9ce6fb 100644
> --- a/config/Makefile.am
> +++ b/config/Makefile.am
> @@ -1 +1 @@
> -SUBDIRS = etc init templates
> +SUBDIRS = apparmor etc init templates
> diff --git a/config/apparmor/Makefile.am b/config/apparmor/Makefile.am
> new file mode 100644
> index 0000000..801866d
> --- /dev/null
> +++ b/config/apparmor/Makefile.am
> @@ -0,0 +1,37 @@
> +EXTRA_DIST = \
> + abstractions/container-base \
> + abstractions/start-container \
> + profiles/lxc-default \
> + profiles/lxc-default-with-mounting \
> + profiles/lxc-default-with-nesting \
> + lxc-containers \
> + usr.bin.lxc-start
> +
> +if ENABLE_APPARMOR
> +install-apparmor:
> + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/
> + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
> + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
> + $(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
> + $(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
> + $(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
> + $(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
> + $(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
> + $(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
> + $(INSTALL_DATA) usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/
> +
> +uninstall-apparmor:
> + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.bin.lxc-start
> + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
> + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
> + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
> + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
> + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
> + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base
> + rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ || :
> + rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ || :
> + rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/ || :
> +
> +install-data-local: install-apparmor
> +uninstall-local: uninstall-apparmor
> +endif
> diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
> new file mode 100644
> index 0000000..9db94e7
> --- /dev/null
> +++ b/config/apparmor/abstractions/container-base
> @@ -0,0 +1,50 @@
> + network,
> + capability,
> + file,
> + umount,
> + dbus,
> +
> + # ignore DENIED message on / remount
> + deny mount options=(ro, remount) -> /,
> +
> + # allow tmpfs mounts everywhere
> + mount fstype=tmpfs,
> +
> + # allow mqueue mounts everywhere
> + mount fstype=mqueue,
> +
> + # allow fuse mounts everywhere
> + mount fstype=fuse.*,
> +
> + # allow bind mount of /lib/init/fstab for lxcguest
> + mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
> +
> + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
> + mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
> + deny @{PROC}/sys/fs/** wklx,
> +
> + # allow efivars to be mounted, writing to it will be blocked though
> + mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
> +
> + # block some other dangerous paths
> + deny @{PROC}/sysrq-trigger rwklx,
> + deny @{PROC}/mem rwklx,
> + deny @{PROC}/kmem rwklx,
> + deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
> + deny @{PROC}/sys/kernel/*/** wklx,
> +
> + # deny writes in /sys except for /sys/fs/cgroup, also allow
> + # fusectl, securityfs and debugfs to be mounted there (read-only)
> + mount fstype=fusectl -> /sys/fs/fuse/connections/,
> + mount fstype=securityfs -> /sys/kernel/security/,
> + mount fstype=debugfs -> /sys/kernel/debug/,
> + deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
> + mount fstype=proc -> /proc/,
> + mount fstype=sysfs -> /sys/,
> + deny /sys/[^f]*/** wklx,
> + deny /sys/f[^s]*/** wklx,
> + deny /sys/fs/[^c]*/** wklx,
> + deny /sys/fs/c[^g]*/** wklx,
> + deny /sys/fs/cg[^r]*/** wklx,
> + deny /sys/firmware/efi/efivars/** rwklx,
> + deny /sys/kernel/security/** rwklx,
> diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
> new file mode 100644
> index 0000000..56a8ec3
> --- /dev/null
> +++ b/config/apparmor/abstractions/start-container
> @@ -0,0 +1,30 @@
> + network,
> + capability,
> + file,
> + dbus,
> +
> + # currently blocked by apparmor bug
> + mount -> /usr/lib/*/lxc/{**,},
> + mount -> /usr/lib/lxc/{**,},
> + mount fstype=devpts -> /dev/pts/,
> + mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
> + mount fstype=debugfs,
> + # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
> + mount -> /var/lib/lxc/{**,},
> +
> + # required for some pre-mount hooks (like the new lxc-start-ephemeral)
> + mount fstype=overlayfs,
> + mount fstype=aufs,
> + mount fstype=ecryptfs,
> +
> + # all umounts are under the original root's /mnt, but right now we
> + # can't allow those umounts after pivot_root. So allow all umounts
> + # right now. They'll be restricted for the container at least.
> + umount,
> + #umount /mnt/{**,},
> +
> + pivot_root /usr/lib/*/lxc/,
> + pivot_root /usr/lib/lxc/root/,
> +
> + change_profile -> lxc-*,
> + change_profile -> unconfined,
> diff --git a/config/apparmor/lxc-containers b/config/apparmor/lxc-containers
> new file mode 100644
> index 0000000..0644cf2
> --- /dev/null
> +++ b/config/apparmor/lxc-containers
> @@ -0,0 +1,7 @@
> +# This file exists only to ensure that all per-container policies
> +# listed under /etc/apparmor.d/lxc get loaded at boot. Please do
> +# not edit this file.
> +
> +#include <tunables/global>
> +
> +#include <lxc>
> diff --git a/config/apparmor/profiles/lxc-default b/config/apparmor/profiles/lxc-default
> new file mode 100644
> index 0000000..9a96a2e
> --- /dev/null
> +++ b/config/apparmor/profiles/lxc-default
> @@ -0,0 +1,11 @@
> +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> +# will source all profiles under /etc/apparmor.d/lxc
> +
> +profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
> + #include <abstractions/lxc/container-base>
> +
> + # the container may never be allowed to mount devpts. If it does, it
> + # will remount the host's devpts. We could allow it to do it with
> + # the newinstance option (but, right now, we don't).
> + deny mount fstype=devpts,
> +}
> diff --git a/config/apparmor/profiles/lxc-default-debootstrap b/config/apparmor/profiles/lxc-default-debootstrap
> new file mode 100644
> index 0000000..d5a5ac0
> --- /dev/null
> +++ b/config/apparmor/profiles/lxc-default-debootstrap
> @@ -0,0 +1,18 @@
> +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> +# will source all profiles under /etc/apparmor.d/lxc
> +
> +profile lxc-container-default-builder flags=(attach_disconnected,mediate_deleted) {
> + #include <abstractions/lxc/container-base>
> +
> + # pbuilder
> + mount options=(rw,bind) -> /var/cache/pbuilder/**,
> + mount fstype=devpts -> /var/cache/pbuilder/**,
> + mount fstype=proc -> /var/cache/pbuilder/**,
> + mount fstype=sysfs -> /var/cache/pbuilder/**,
> +
> + # sbuild
> + mount options=(rw,bind) -> /var/lib/schroot/**,
> + mount fstype=devpts -> /var/lib/schroot/**,
> + mount fstype=proc -> /var/lib/schroot/**,
> + mount fstype=sysfs -> /var/lib/schroot/**,
> +}
> diff --git a/config/apparmor/profiles/lxc-default-with-mounting b/config/apparmor/profiles/lxc-default-with-mounting
> new file mode 100644
> index 0000000..8a9a6b7
> --- /dev/null
> +++ b/config/apparmor/profiles/lxc-default-with-mounting
> @@ -0,0 +1,14 @@
> +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> +# will source all profiles under /etc/apparmor.d/lxc
> +
> +profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
> + #include <abstractions/lxc/container-base>
> +
> +# allow standard blockdevtypes.
> +# The concern here is in-kernel superblock parsers bringing down the
> +# host with bad data. However, we continue to disallow proc, sys, securityfs,
> +# etc to nonstandard locations.
> + mount fstype=ext*,
> + mount fstype=xfs,
> + mount fstype=btrfs,
> +}
> diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
> new file mode 100644
> index 0000000..245f2f8
> --- /dev/null
> +++ b/config/apparmor/profiles/lxc-default-with-nesting
> @@ -0,0 +1,13 @@
> +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> +# will source all profiles under /etc/apparmor.d/lxc
> +
> +profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
> + #include <abstractions/lxc/container-base>
> + #include <abstractions/lxc/start-container>
> +
> + mount fstype=cgroup -> /sys/fs/cgroup/**,
> +
> + mount fstype=proc -> /var/cache/lxc/**,
> + mount fstype=sysfs -> /var/cache/lxc/**,
> + mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> /var/cache/lxc/**/run/shm/,
> +}
> diff --git a/config/apparmor/usr.bin.lxc-start b/config/apparmor/usr.bin.lxc-start
> new file mode 100644
> index 0000000..2f87cdd
> --- /dev/null
> +++ b/config/apparmor/usr.bin.lxc-start
> @@ -0,0 +1,5 @@
> +#include <tunables/global>
> +
> +/usr/bin/lxc-start flags=(attach_disconnected) {
> + #include <abstractions/lxc/start-container>
> +}
> diff --git a/configure.ac b/configure.ac
> index 6b93299..090ee16 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -547,6 +547,7 @@ AC_CONFIG_FILES([
> lxc.spec
>
> config/Makefile
> + config/apparmor/Makefile
> config/init/Makefile
> config/init/sysvinit/Makefile
> config/init/systemd/Makefile
> --
> 1.8.5.2
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list