[lxc-devel] [PATCH 2/2] apparmor: restrict signal and ptrace

Serge Hallyn serge.hallyn at ubuntu.com
Thu Sep 25 15:40:08 UTC 2014 

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Thu, Sep 25, 2014 at 02:47:08PM +0000, Serge Hallyn wrote:
> > restrict signal and ptrace for processes running under the container profile.
> > Rules based on AppArmor base abstraction. Add unix rules for processes running
> > under the container profile.
> > 
> > Author: Jamie Strandboge <jamie at canonical.com>
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  config/apparmor/abstractions/container-base.in | 36 +++++++++++++++++++++++---
> >  1 file changed, 32 insertions(+), 4 deletions(-)
> > 
> > diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
> > index 096d35b..0aee5ee 100644
> > --- a/config/apparmor/abstractions/container-base.in
> > +++ b/config/apparmor/abstractions/container-base.in
> > @@ -3,11 +3,39 @@
> >    file,
> >    umount,
> >  
> > -  # The following 3 entries are only supported by recent apparmor versions.
> > -  # Comment them if the apparmor parser doesn't recognize them.
> > +  # dbus, signal, ptrace and unix are only supported by recent apparmor
> > +  # versions. Comment them if the apparmor parser doesn't recognize them.
> > +
> > +  # This also needs additional rules to reach outside of the container via DBus, so
> > +  # just let all of DBus within the container.
> >    dbus,
> > -  signal,
> > -  ptrace,
> > +
> > +  # Allow unconfined to signal us
> > +  signal (receive) peer=unconfined,
> > +  signal (receive) peer=/usr/bin/lxc-start,
> > +
> > +  # Allow us to send signals to ourselves
> > +  signal peer=@{profile_name},
> > +
> > +  # Allow other processes to read our /proc entries, futexes, perf tracing and
> > +  # kcmp for now (they will need 'read' in the first place). Administrators can
> > +  # override with:
> > +  #   deny ptrace (readby) ...
> > +  ptrace (readby),
> > +
> > +  # Allow other processes to trace us by default (they will need 'trace' in
> > +  # the first place). Administrators can override with:
> > +  #   deny ptrace (tracedby) ...
> > +  ptrace (tracedby),
> > +
> > +  # Allow us to ptrace ourselves
> > +  ptrace peer=@{profile_name},
> > +
> > +  # Allow unconfined processes to us via unix sockets
> > +  unix (receive) peer=(label=unconfined),
> > +
> > +  # Allow all unix in the container
> > +  unix peer=(label=@{profile_name}),
> 
> That suggests we can't then bind-mount a socket into the container and
> have the container connect to it because the peer won't be running under
 
Wrong.  That socket will be mediated using file permss.  That's why
cgmanager stlil works with this patch.

> the container's profile.
> 
> That'll break things and I can't think of a good reason why we'd want to
> block that, so -1.
> 
> >  
> >    # ignore DENIED message on / remount
> >    deny mount options=(ro, remount) -> /,
> > -- 
> > 2.1.0
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list