[lxc-devel] [PATCH 2/2] apparmor: restrict signal and ptrace

Stéphane Graber stgraber at ubuntu.com
Thu Sep 25 16:08:12 UTC 2014 

On Thu, Sep 25, 2014 at 03:40:08PM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > On Thu, Sep 25, 2014 at 02:47:08PM +0000, Serge Hallyn wrote:
> > > restrict signal and ptrace for processes running under the container profile.
> > > Rules based on AppArmor base abstraction. Add unix rules for processes running
> > > under the container profile.
> > > 
> > > Author: Jamie Strandboge <jamie at canonical.com>
> > > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > > ---
> > >  config/apparmor/abstractions/container-base.in | 36 +++++++++++++++++++++++---
> > >  1 file changed, 32 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
> > > index 096d35b..0aee5ee 100644
> > > --- a/config/apparmor/abstractions/container-base.in
> > > +++ b/config/apparmor/abstractions/container-base.in
> > > @@ -3,11 +3,39 @@
> > >    file,
> > >    umount,
> > >  
> > > -  # The following 3 entries are only supported by recent apparmor versions.
> > > -  # Comment them if the apparmor parser doesn't recognize them.
> > > +  # dbus, signal, ptrace and unix are only supported by recent apparmor
> > > +  # versions. Comment them if the apparmor parser doesn't recognize them.
> > > +
> > > +  # This also needs additional rules to reach outside of the container via DBus, so
> > > +  # just let all of DBus within the container.
> > >    dbus,
> > > -  signal,
> > > -  ptrace,
> > > +
> > > +  # Allow unconfined to signal us
> > > +  signal (receive) peer=unconfined,
> > > +  signal (receive) peer=/usr/bin/lxc-start,
> > > +
> > > +  # Allow us to send signals to ourselves
> > > +  signal peer=@{profile_name},
> > > +
> > > +  # Allow other processes to read our /proc entries, futexes, perf tracing and
> > > +  # kcmp for now (they will need 'read' in the first place). Administrators can
> > > +  # override with:
> > > +  #   deny ptrace (readby) ...
> > > +  ptrace (readby),
> > > +
> > > +  # Allow other processes to trace us by default (they will need 'trace' in
> > > +  # the first place). Administrators can override with:
> > > +  #   deny ptrace (tracedby) ...
> > > +  ptrace (tracedby),
> > > +
> > > +  # Allow us to ptrace ourselves
> > > +  ptrace peer=@{profile_name},
> > > +
> > > +  # Allow unconfined processes to us via unix sockets
> > > +  unix (receive) peer=(label=unconfined),
> > > +
> > > +  # Allow all unix in the container
> > > +  unix peer=(label=@{profile_name}),
> > 
> > That suggests we can't then bind-mount a socket into the container and
> > have the container connect to it because the peer won't be running under
>  
> Wrong.  That socket will be mediated using file permss.  That's why
> cgmanager stlil works with this patch.

I'm really confused as to what that rule is supposed to allow then, does
all the above only apply to abstract sockets then?

If so, why do we care when we have a separate netns which prevents us
from talking to host abstract sockets anyway.

> 
> > the container's profile.
> > 
> > That'll break things and I can't think of a good reason why we'd want to
> > block that, so -1.
> > 
> > >  
> > >    # ignore DENIED message on / remount
> > >    deny mount options=(ro, remount) -> /,
> > > -- 
> > > 2.1.0
> > > 
> > > _______________________________________________
> > > lxc-devel mailing list
> > > lxc-devel at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > 
> > -- 
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> 
> 
> 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140925/8664d132/attachment.sig>

More information about the lxc-devel mailing list