[lxc-devel] [lxd/master] Apparmor

stgraber on Github lxc-bot at linuxcontainers.org
Tue Sep 27 23:39:28 UTC 2016


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160927/127dc299/attachment.bin>
-------------- next part --------------
From 6fcacc181f006565033d3565b5070106253bd810 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 27 Sep 2016 16:06:53 -0400
Subject: [PATCH 1/3] apparmor: Block /sys/kernel when no stacking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/apparmor.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index 1b1d78a..802a789 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -338,6 +338,9 @@ func getAAProfileContent(c container) string {
 `
 			profile += fmt.Sprintf("  change_profile -> \":%s://*\",\n", AANamespace(c))
 		}
+	} else {
+		profile += "\n  ### Feature: apparmor stacking (not present)\n"
+		profile += "  deny /sys/k*{,/**} rwklx,\n"
 	}
 
 	if c.IsNesting() {

From 9f4a96dc3b89fa7bd4cc8e6b9e46319ae205cdd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 27 Sep 2016 17:34:36 -0400
Subject: [PATCH 2/3] snappy: Add /snap/bin to PATH if present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_exec.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lxd/container_exec.go b/lxd/container_exec.go
index c42ba96..ec62d6e 100644
--- a/lxd/container_exec.go
+++ b/lxd/container_exec.go
@@ -282,6 +282,14 @@ func containerExecPost(d *Daemon, r *http.Request) Response {
 		}
 	}
 
+	_, ok := env["PATH"]
+	if !ok {
+		env["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+		if shared.PathExists(fmt.Sprintf("%s/snap/bin", c.RootfsPath())) {
+			env["PATH"] = fmt.Sprintf("%s:/snap/bin", env["PATH"])
+		}
+	}
+
 	if post.WaitForWS {
 		ws := &execWs{}
 		ws.fds = map[int]string{}

From 82784db5d24c67dc7323cb0c771409bab4afda8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 27 Sep 2016 19:37:47 -0400
Subject: [PATCH 3/3] apparmor: Be less restrictive when unprivileged
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This change allows:
 - Various remount of /
 - pivot_root inside the container
 - All bind mounts

This can be used to bypass a bunch of our apparmor restrictions and so
would be completely unacceptable for privileged containers. But since we
use apparmor mostly as an added safety net for unpriivleged containers,
this should be fine.

Those changes should help running snapd inside a container.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/apparmor.go | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index 802a789..cd4ac6c 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -250,6 +250,22 @@ const AA_PROFILE_NESTING = `
   mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**,
 `
 
+const AA_PROFILE_UNPRIVILEGED = `
+  pivot_root,
+
+  mount options=(rw,make-slave) -> **,
+  mount options=(rw,make-rslave) -> **,
+  mount options=(rw,make-shared) -> **,
+  mount options=(rw,make-rshared) -> **,
+  mount options=(rw,make-private) -> **,
+  mount options=(rw,make-rprivate) -> **,
+  mount options=(rw,make-unbindable) -> **,
+  mount options=(rw,make-runbindable) -> **,
+
+  mount options=(rw,bind),
+  mount options=(rw,rbind),
+`
+
 func mkApparmorName(name string) string {
 	if len(name)+7 >= 253 {
 		hash := sha256.New()
@@ -352,6 +368,12 @@ func getAAProfileContent(c container) string {
 		}
 	}
 
+	if !c.IsPrivileged() {
+		// Apply unprivileged bits
+		profile += "\n  ### Configuration: unprivileged containers\n"
+		profile += strings.TrimLeft(AA_PROFILE_UNPRIVILEGED, "\n")
+	}
+
 	// Append raw.apparmor
 	rawApparmor, ok := c.ExpandedConfig()["raw.apparmor"]
 	if ok {


More information about the lxc-devel mailing list