[lxc-users] lxc-start fails at apparmor detection

Tom Weber l_lxc-users at mail2news.4t2.com
Tue Aug 5 22:12:51 UTC 2014 

Am Dienstag, den 05.08.2014, 16:07 +0000 schrieb Serge Hallyn:

> What you say makes sense.  What do you think of the following (untested)
> patch?
> 
> From 05864ae7f8b42724fb15ddea8a6d3d3ea9cf8749 Mon Sep 17 00:00:00 2001
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
> Date: Tue, 5 Aug 2014 11:01:55 -0500
> Subject: [PATCH 1/1] apparmor: only warn if mount restrictions lacking
> 
> Up to now we've refused to load apparmor profiles if mount
> restrictions are missing.  With this patch, we'll only warn
> but continue loading the profile.
> 
> Lack of mount restrictions allows malicious container users
> to work around file restrictions by say remounting /proc.
> However, as Tom points out containers with no cap_sys_admin
> are not vulnerable to this.  So it doesn't make sense to not
> allow them to use apparmor as well.
> 
> Reported-by: Tom Weber <l_lxc-users at mail2news.4t2.com>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
>  src/lxc/lsm/apparmor.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index f4c8d26..e730aba 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -48,8 +48,10 @@ static int apparmor_enabled(void)
>  	int ret;
>  
>  	ret = stat(AA_MOUNT_RESTR, &statbuf);
> -	if (ret != 0)
> -		return 0;
> +	if (ret != 0) {
> +		WARN("WARNING: Apparmor ount restrictions missing from kernel");
> +		WARN("WARNING: mount restrictions will not be enforced");
> +	}
>  	fin = fopen(AA_ENABLED_FILE, "r");
>  	if (!fin)
>  		return 0;

The patch works in the regard that the container starts and the apparmor
profile is set. 
But I can't find the Warning message anywhere (tried lxc-start -n webv1
-d -l DEBUG) - but maybe thats a more general problem. Oh, and there is
a typo: Apparmor ount

My opinion as an admin is that this check isn't needed in lxc itself.
Apparmor spits a warning during aa lxc-profile loading - sane admins
wouldn't ignore this.
If one messes with the aa lxc-profiles and disables the mount
restrictions there, your check wont help (or report) anything - even on
a kernel with mount restriction patch.
All you can do is provide sane aa profiles in the lxc package - the rest
is aa related business, not lxc related.
But thats just my oponion.

Thanks alot for the quick patch!
  Tom

More information about the lxc-users mailing list