[lxc-users] lxc-start fails at apparmor detection

Serge Hallyn serge.hallyn at ubuntu.com
Tue Aug 5 16:07:40 UTC 2014 

Quoting Tom Weber (l_lxc-users at mail2news.4t2.com):
> Hello,
> 
> my setup: 
> debian7 
> lxc-1.0.4 from debian testing
> vanilla kernel.org kernel 3.14.14
> 
> i'm new to lxc and apparmor, so this took me a couple of hours to
> figure:
> lxc-start won't assign an apparmor-profile to a container since it's
> test for apparmor will always fail on my setup:
> in src/lxc/lsm/apparmor:
> the apparmor_enabled() tests for AA_MOUNT_RESTR
> (/sys/kernel/security/apparmor/features/mount/mask) first, which will
> never exist without that apparmor mount patch in the kernel. 
> 
> commenting out that test gives me apparmor functionality (except for
> that mount feature of course).
> 
> Is that intentional or just an ancient relict? 
> I'd prefer to have apparmor profile support without mount restrictions
> over no apparmor profile support at all. apparmor gives me warnings
> like: 
> 
> Warning from /etc/apparmor.d/lxc-containers (/etc/apparmor.d/lxc-containers line 8): profile lxc-container-default mount rules not enforced
> 
> when starting up, which is what I expect and something I can deal with
> as admin. I think lxc-start should activate the requested profile
> anyway.
> 
> Oh, and a little log message wether lxc-start detected apparmor or not
> and activates it would be _very_ helpfull :)
> 
> related question: dropping sys_admin cap for the container should render
> all the mount protections from apparmor unnecessary, right?

What you say makes sense.  What do you think of the following (untested)
patch?

>From 05864ae7f8b42724fb15ddea8a6d3d3ea9cf8749 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Tue, 5 Aug 2014 11:01:55 -0500
Subject: [PATCH 1/1] apparmor: only warn if mount restrictions lacking

Up to now we've refused to load apparmor profiles if mount
restrictions are missing.  With this patch, we'll only warn
but continue loading the profile.

Lack of mount restrictions allows malicious container users
to work around file restrictions by say remounting /proc.
However, as Tom points out containers with no cap_sys_admin
are not vulnerable to this.  So it doesn't make sense to not
allow them to use apparmor as well.

Reported-by: Tom Weber <l_lxc-users at mail2news.4t2.com>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index f4c8d26..e730aba 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -48,8 +48,10 @@ static int apparmor_enabled(void)
 	int ret;
 
 	ret = stat(AA_MOUNT_RESTR, &statbuf);
-	if (ret != 0)
-		return 0;
+	if (ret != 0) {
+		WARN("WARNING: Apparmor ount restrictions missing from kernel");
+		WARN("WARNING: mount restrictions will not be enforced");
+	}
 	fin = fopen(AA_ENABLED_FILE, "r");
 	if (!fin)
 		return 0;
-- 
2.0.1

More information about the lxc-users mailing list