[lxc-devel] [PATCH 2/2] apparmor: restrict signal and ptrace

Serge Hallyn serge.hallyn at ubuntu.com
Thu Sep 25 17:00:48 UTC 2014 

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Thu, Sep 25, 2014 at 03:40:08PM +0000, Serge Hallyn wrote:
> > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > On Thu, Sep 25, 2014 at 02:47:08PM +0000, Serge Hallyn wrote:
> > > > restrict signal and ptrace for processes running under the container profile.
> > > > Rules based on AppArmor base abstraction. Add unix rules for processes running
> > > > under the container profile.
> > > > 
> > > > Author: Jamie Strandboge <jamie at canonical.com>
> > > > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > > > ---
> > > >  config/apparmor/abstractions/container-base.in | 36 +++++++++++++++++++++++---
> > > >  1 file changed, 32 insertions(+), 4 deletions(-)
> > > > 
> > > > diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
> > > > index 096d35b..0aee5ee 100644
> > > > --- a/config/apparmor/abstractions/container-base.in
> > > > +++ b/config/apparmor/abstractions/container-base.in
> > > > @@ -3,11 +3,39 @@
> > > >    file,
> > > >    umount,
> > > >  
> > > > -  # The following 3 entries are only supported by recent apparmor versions.
> > > > -  # Comment them if the apparmor parser doesn't recognize them.
> > > > +  # dbus, signal, ptrace and unix are only supported by recent apparmor
> > > > +  # versions. Comment them if the apparmor parser doesn't recognize them.
> > > > +
> > > > +  # This also needs additional rules to reach outside of the container via DBus, so
> > > > +  # just let all of DBus within the container.
> > > >    dbus,
> > > > -  signal,
> > > > -  ptrace,
> > > > +
> > > > +  # Allow unconfined to signal us
> > > > +  signal (receive) peer=unconfined,
> > > > +  signal (receive) peer=/usr/bin/lxc-start,
> > > > +
> > > > +  # Allow us to send signals to ourselves
> > > > +  signal peer=@{profile_name},
> > > > +
> > > > +  # Allow other processes to read our /proc entries, futexes, perf tracing and
> > > > +  # kcmp for now (they will need 'read' in the first place). Administrators can
> > > > +  # override with:
> > > > +  #   deny ptrace (readby) ...
> > > > +  ptrace (readby),
> > > > +
> > > > +  # Allow other processes to trace us by default (they will need 'trace' in
> > > > +  # the first place). Administrators can override with:
> > > > +  #   deny ptrace (tracedby) ...
> > > > +  ptrace (tracedby),
> > > > +
> > > > +  # Allow us to ptrace ourselves
> > > > +  ptrace peer=@{profile_name},
> > > > +
> > > > +  # Allow unconfined processes to us via unix sockets
> > > > +  unix (receive) peer=(label=unconfined),
> > > > +
> > > > +  # Allow all unix in the container
> > > > +  unix peer=(label=@{profile_name}),
> > > 
> > > That suggests we can't then bind-mount a socket into the container and
> > > have the container connect to it because the peer won't be running under
> >  
> > Wrong.  That socket will be mediated using file permss.  That's why
> > cgmanager stlil works with this patch.
> 
> I'm really confused as to what that rule is supposed to allow then, does
> all the above only apply to abstract sockets then?

No, I assume also to sockets which are passed in or inherited
as an fd.

> If so, why do we care when we have a separate netns which prevents us
> from talking to host abstract sockets anyway.

I've felt the same way about the signals part.  The answer is
"defense in depth".  Basically if an attack finds a way around
the first layer, we have a second layer to protect you.  Most of
me feels the same way you do.  Then a small part remembers for
instance the CLONE_FS|CLONE_NEWUSER "oopsie".

-serge

More information about the lxc-devel mailing list