[lxc-devel] [PATCH 2/2] apparmor: restrict signal and ptrace

Serge Hallyn serge.hallyn at ubuntu.com
Thu Sep 25 14:47:08 UTC 2014 

restrict signal and ptrace for processes running under the container profile.
Rules based on AppArmor base abstraction. Add unix rules for processes running
under the container profile.

Author: Jamie Strandboge <jamie at canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 config/apparmor/abstractions/container-base.in | 36 +++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 096d35b..0aee5ee 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -3,11 +3,39 @@
   file,
   umount,
 
-  # The following 3 entries are only supported by recent apparmor versions.
-  # Comment them if the apparmor parser doesn't recognize them.
+  # dbus, signal, ptrace and unix are only supported by recent apparmor
+  # versions. Comment them if the apparmor parser doesn't recognize them.
+
+  # This also needs additional rules to reach outside of the container via DBus, so
+  # just let all of DBus within the container.
   dbus,
-  signal,
-  ptrace,
+
+  # Allow unconfined to signal us
+  signal (receive) peer=unconfined,
+  signal (receive) peer=/usr/bin/lxc-start,
+
+  # Allow us to send signals to ourselves
+  signal peer=@{profile_name},
+
+  # Allow other processes to read our /proc entries, futexes, perf tracing and
+  # kcmp for now (they will need 'read' in the first place). Administrators can
+  # override with:
+  #   deny ptrace (readby) ...
+  ptrace (readby),
+
+  # Allow other processes to trace us by default (they will need 'trace' in
+  # the first place). Administrators can override with:
+  #   deny ptrace (tracedby) ...
+  ptrace (tracedby),
+
+  # Allow us to ptrace ourselves
+  ptrace peer=@{profile_name},
+
+  # Allow unconfined processes to us via unix sockets
+  unix (receive) peer=(label=unconfined),
+
+  # Allow all unix in the container
+  unix peer=(label=@{profile_name}),
 
   # ignore DENIED message on / remount
   deny mount options=(ro, remount) -> /,
-- 
2.1.0

More information about the lxc-devel mailing list