[lxc-devel] [PATCH 2/2] apparmor: restrict signal and ptrace

Stéphane Graber stgraber at ubuntu.com
Thu Sep 25 14:50:16 UTC 2014 

On Thu, Sep 25, 2014 at 02:47:08PM +0000, Serge Hallyn wrote:
> restrict signal and ptrace for processes running under the container profile.
> Rules based on AppArmor base abstraction. Add unix rules for processes running
> under the container profile.
> 
> Author: Jamie Strandboge <jamie at canonical.com>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
>  config/apparmor/abstractions/container-base.in | 36 +++++++++++++++++++++++---
>  1 file changed, 32 insertions(+), 4 deletions(-)
> 
> diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
> index 096d35b..0aee5ee 100644
> --- a/config/apparmor/abstractions/container-base.in
> +++ b/config/apparmor/abstractions/container-base.in
> @@ -3,11 +3,39 @@
>    file,
>    umount,
>  
> -  # The following 3 entries are only supported by recent apparmor versions.
> -  # Comment them if the apparmor parser doesn't recognize them.
> +  # dbus, signal, ptrace and unix are only supported by recent apparmor
> +  # versions. Comment them if the apparmor parser doesn't recognize them.
> +
> +  # This also needs additional rules to reach outside of the container via DBus, so
> +  # just let all of DBus within the container.
>    dbus,
> -  signal,
> -  ptrace,
> +
> +  # Allow unconfined to signal us
> +  signal (receive) peer=unconfined,
> +  signal (receive) peer=/usr/bin/lxc-start,
> +
> +  # Allow us to send signals to ourselves
> +  signal peer=@{profile_name},
> +
> +  # Allow other processes to read our /proc entries, futexes, perf tracing and
> +  # kcmp for now (they will need 'read' in the first place). Administrators can
> +  # override with:
> +  #   deny ptrace (readby) ...
> +  ptrace (readby),
> +
> +  # Allow other processes to trace us by default (they will need 'trace' in
> +  # the first place). Administrators can override with:
> +  #   deny ptrace (tracedby) ...
> +  ptrace (tracedby),
> +
> +  # Allow us to ptrace ourselves
> +  ptrace peer=@{profile_name},
> +
> +  # Allow unconfined processes to us via unix sockets
> +  unix (receive) peer=(label=unconfined),
> +
> +  # Allow all unix in the container
> +  unix peer=(label=@{profile_name}),

That suggests we can't then bind-mount a socket into the container and
have the container connect to it because the peer won't be running under
the container's profile.

That'll break things and I can't think of a good reason why we'd want to
block that, so -1.

>  
>    # ignore DENIED message on / remount
>    deny mount options=(ro, remount) -> /,
> -- 
> 2.1.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140925/68e356e6/attachment.sig>

More information about the lxc-devel mailing list