[lxc-users] lxc-start fails at apparmor detection

Serge Hallyn serge.hallyn at ubuntu.com
Tue Aug 5 23:34:35 UTC 2014 

Quoting Tom Weber (l_lxc-users at mail2news.4t2.com):
> Am Dienstag, den 05.08.2014, 16:07 +0000 schrieb Serge Hallyn:
> 
> > What you say makes sense.  What do you think of the following (untested)
> > patch?
> > 
> > From 05864ae7f8b42724fb15ddea8a6d3d3ea9cf8749 Mon Sep 17 00:00:00 2001
> > From: Serge Hallyn <serge.hallyn at ubuntu.com>
> > Date: Tue, 5 Aug 2014 11:01:55 -0500
> > Subject: [PATCH 1/1] apparmor: only warn if mount restrictions lacking
> > 
> > Up to now we've refused to load apparmor profiles if mount
> > restrictions are missing.  With this patch, we'll only warn
> > but continue loading the profile.
> > 
> > Lack of mount restrictions allows malicious container users
> > to work around file restrictions by say remounting /proc.
> > However, as Tom points out containers with no cap_sys_admin
> > are not vulnerable to this.  So it doesn't make sense to not
> > allow them to use apparmor as well.
> > 
> > Reported-by: Tom Weber <l_lxc-users at mail2news.4t2.com>
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  src/lxc/lsm/apparmor.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> > index f4c8d26..e730aba 100644
> > --- a/src/lxc/lsm/apparmor.c
> > +++ b/src/lxc/lsm/apparmor.c
> > @@ -48,8 +48,10 @@ static int apparmor_enabled(void)
> >  	int ret;
> >  
> >  	ret = stat(AA_MOUNT_RESTR, &statbuf);
> > -	if (ret != 0)
> > -		return 0;
> > +	if (ret != 0) {
> > +		WARN("WARNING: Apparmor ount restrictions missing from kernel");
> > +		WARN("WARNING: mount restrictions will not be enforced");
> > +	}
> >  	fin = fopen(AA_ENABLED_FILE, "r");
> >  	if (!fin)
> >  		return 0;
> 
> The patch works in the regard that the container starts and the apparmor
> profile is set. 
> But I can't find the Warning message anywhere (tried lxc-start -n webv1
> -d -l DEBUG) - but maybe thats a more general problem. Oh, and there is
> a typo: Apparmor ount
> 
> My opinion as an admin is that this check isn't needed in lxc itself.
> Apparmor spits a warning during aa lxc-profile loading - sane admins
> wouldn't ignore this.

We're not just talking about "sane admins" though.  We're talking about
everyday users using containers.  And they're not building their own
misconfigured kernels.  It happens, certainly while using the development
release, that you get a kernel for which the apparmor set wasn't ready
yet and mount restrictions weren't ready.

Maybe the patch should be modified to only allow the container to
proceed if cap_sys_admin is being dropped.

Or maybe it's fine as is.  I'm feeling undecided.

> If one messes with the aa lxc-profiles and disables the mount
> restrictions there, your check wont help (or report) anything - even on
> a kernel with mount restriction patch.
> All you can do is provide sane aa profiles in the lxc package - the rest
> is aa related business, not lxc related.
> But thats just my oponion.
> 
> Thanks alot for the quick patch!
>   Tom
> 
> 
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list