Quoting Stéphane Graber ([email protected]): > Signed-off-by: Stéphane Graber <[email protected]>
Acked-by: Serge E. Hallyn <[email protected]> > --- > config/Makefile.am | 2 +- > config/apparmor/Makefile.am | 37 ++++++++++++++++ > config/apparmor/abstractions/container-base | 50 > ++++++++++++++++++++++ > config/apparmor/abstractions/start-container | 30 +++++++++++++ > config/apparmor/lxc-containers | 7 +++ > config/apparmor/profiles/lxc-default | 11 +++++ > config/apparmor/profiles/lxc-default-debootstrap | 18 ++++++++ > config/apparmor/profiles/lxc-default-with-mounting | 14 ++++++ > config/apparmor/profiles/lxc-default-with-nesting | 13 ++++++ > config/apparmor/usr.bin.lxc-start | 5 +++ > configure.ac | 1 + > 11 files changed, 187 insertions(+), 1 deletion(-) > create mode 100644 config/apparmor/Makefile.am > create mode 100644 config/apparmor/abstractions/container-base > create mode 100644 config/apparmor/abstractions/start-container > create mode 100644 config/apparmor/lxc-containers > create mode 100644 config/apparmor/profiles/lxc-default > create mode 100644 config/apparmor/profiles/lxc-default-debootstrap > create mode 100644 config/apparmor/profiles/lxc-default-with-mounting > create mode 100644 config/apparmor/profiles/lxc-default-with-nesting > create mode 100644 config/apparmor/usr.bin.lxc-start > > diff --git a/config/Makefile.am b/config/Makefile.am > index 02ba9ce..f9ce6fb 100644 > --- a/config/Makefile.am > +++ b/config/Makefile.am > @@ -1 +1 @@ > -SUBDIRS = etc init templates > +SUBDIRS = apparmor etc init templates > diff --git a/config/apparmor/Makefile.am b/config/apparmor/Makefile.am > new file mode 100644 > index 0000000..801866d > --- /dev/null > +++ b/config/apparmor/Makefile.am > @@ -0,0 +1,37 @@ > +EXTRA_DIST = \ > + abstractions/container-base \ > + abstractions/start-container \ > + profiles/lxc-default \ > + profiles/lxc-default-with-mounting \ > + profiles/lxc-default-with-nesting \ > + lxc-containers \ > + usr.bin.lxc-start > + > +if ENABLE_APPARMOR > +install-apparmor: > + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/ > + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ > + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ > + $(INSTALL_DATA) abstractions/container-base > $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ > + $(INSTALL_DATA) abstractions/start-container > $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ > + $(INSTALL_DATA) profiles/lxc-default > $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ > + $(INSTALL_DATA) profiles/lxc-default-with-mounting > $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ > + $(INSTALL_DATA) profiles/lxc-default-with-nesting > $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ > + $(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/ > + $(INSTALL_DATA) usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/ > + > +uninstall-apparmor: > + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.bin.lxc-start > + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers > + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting > + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting > + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default > + rm -f > $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container > + rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base > + rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ || : > + rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ || : > + rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/ || : > + > +install-data-local: install-apparmor > +uninstall-local: uninstall-apparmor > +endif > diff --git a/config/apparmor/abstractions/container-base > b/config/apparmor/abstractions/container-base > new file mode 100644 > index 0000000..9db94e7 > --- /dev/null > +++ b/config/apparmor/abstractions/container-base > @@ -0,0 +1,50 @@ > + network, > + capability, > + file, > + umount, > + dbus, > + > + # ignore DENIED message on / remount > + deny mount options=(ro, remount) -> /, > + > + # allow tmpfs mounts everywhere > + mount fstype=tmpfs, > + > + # allow mqueue mounts everywhere > + mount fstype=mqueue, > + > + # allow fuse mounts everywhere > + mount fstype=fuse.*, > + > + # allow bind mount of /lib/init/fstab for lxcguest > + mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/, > + > + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted > + mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, > + deny @{PROC}/sys/fs/** wklx, > + > + # allow efivars to be mounted, writing to it will be blocked though > + mount fstype=efivarfs -> /sys/firmware/efi/efivars/, > + > + # block some other dangerous paths > + deny @{PROC}/sysrq-trigger rwklx, > + deny @{PROC}/mem rwklx, > + deny @{PROC}/kmem rwklx, > + deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, > + deny @{PROC}/sys/kernel/*/** wklx, > + > + # deny writes in /sys except for /sys/fs/cgroup, also allow > + # fusectl, securityfs and debugfs to be mounted there (read-only) > + mount fstype=fusectl -> /sys/fs/fuse/connections/, > + mount fstype=securityfs -> /sys/kernel/security/, > + mount fstype=debugfs -> /sys/kernel/debug/, > + deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, > + mount fstype=proc -> /proc/, > + mount fstype=sysfs -> /sys/, > + deny /sys/[^f]*/** wklx, > + deny /sys/f[^s]*/** wklx, > + deny /sys/fs/[^c]*/** wklx, > + deny /sys/fs/c[^g]*/** wklx, > + deny /sys/fs/cg[^r]*/** wklx, > + deny /sys/firmware/efi/efivars/** rwklx, > + deny /sys/kernel/security/** rwklx, > diff --git a/config/apparmor/abstractions/start-container > b/config/apparmor/abstractions/start-container > new file mode 100644 > index 0000000..56a8ec3 > --- /dev/null > +++ b/config/apparmor/abstractions/start-container > @@ -0,0 +1,30 @@ > + network, > + capability, > + file, > + dbus, > + > + # currently blocked by apparmor bug > + mount -> /usr/lib/*/lxc/{**,}, > + mount -> /usr/lib/lxc/{**,}, > + mount fstype=devpts -> /dev/pts/, > + mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, > + mount fstype=debugfs, > + # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/ > + mount -> /var/lib/lxc/{**,}, > + > + # required for some pre-mount hooks (like the new lxc-start-ephemeral) > + mount fstype=overlayfs, > + mount fstype=aufs, > + mount fstype=ecryptfs, > + > + # all umounts are under the original root's /mnt, but right now we > + # can't allow those umounts after pivot_root. So allow all umounts > + # right now. They'll be restricted for the container at least. > + umount, > + #umount /mnt/{**,}, > + > + pivot_root /usr/lib/*/lxc/, > + pivot_root /usr/lib/lxc/root/, > + > + change_profile -> lxc-*, > + change_profile -> unconfined, > diff --git a/config/apparmor/lxc-containers b/config/apparmor/lxc-containers > new file mode 100644 > index 0000000..0644cf2 > --- /dev/null > +++ b/config/apparmor/lxc-containers > @@ -0,0 +1,7 @@ > +# This file exists only to ensure that all per-container policies > +# listed under /etc/apparmor.d/lxc get loaded at boot. Please do > +# not edit this file. > + > +#include <tunables/global> > + > +#include <lxc> > diff --git a/config/apparmor/profiles/lxc-default > b/config/apparmor/profiles/lxc-default > new file mode 100644 > index 0000000..9a96a2e > --- /dev/null > +++ b/config/apparmor/profiles/lxc-default > @@ -0,0 +1,11 @@ > +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which > +# will source all profiles under /etc/apparmor.d/lxc > + > +profile lxc-container-default flags=(attach_disconnected,mediate_deleted) { > + #include <abstractions/lxc/container-base> > + > + # the container may never be allowed to mount devpts. If it does, it > + # will remount the host's devpts. We could allow it to do it with > + # the newinstance option (but, right now, we don't). > + deny mount fstype=devpts, > +} > diff --git a/config/apparmor/profiles/lxc-default-debootstrap > b/config/apparmor/profiles/lxc-default-debootstrap > new file mode 100644 > index 0000000..d5a5ac0 > --- /dev/null > +++ b/config/apparmor/profiles/lxc-default-debootstrap > @@ -0,0 +1,18 @@ > +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which > +# will source all profiles under /etc/apparmor.d/lxc > + > +profile lxc-container-default-builder > flags=(attach_disconnected,mediate_deleted) { > + #include <abstractions/lxc/container-base> > + > + # pbuilder > + mount options=(rw,bind) -> /var/cache/pbuilder/**, > + mount fstype=devpts -> /var/cache/pbuilder/**, > + mount fstype=proc -> /var/cache/pbuilder/**, > + mount fstype=sysfs -> /var/cache/pbuilder/**, > + > + # sbuild > + mount options=(rw,bind) -> /var/lib/schroot/**, > + mount fstype=devpts -> /var/lib/schroot/**, > + mount fstype=proc -> /var/lib/schroot/**, > + mount fstype=sysfs -> /var/lib/schroot/**, > +} > diff --git a/config/apparmor/profiles/lxc-default-with-mounting > b/config/apparmor/profiles/lxc-default-with-mounting > new file mode 100644 > index 0000000..8a9a6b7 > --- /dev/null > +++ b/config/apparmor/profiles/lxc-default-with-mounting > @@ -0,0 +1,14 @@ > +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which > +# will source all profiles under /etc/apparmor.d/lxc > + > +profile lxc-container-default-with-mounting > flags=(attach_disconnected,mediate_deleted) { > + #include <abstractions/lxc/container-base> > + > +# allow standard blockdevtypes. > +# The concern here is in-kernel superblock parsers bringing down the > +# host with bad data. However, we continue to disallow proc, sys, > securityfs, > +# etc to nonstandard locations. > + mount fstype=ext*, > + mount fstype=xfs, > + mount fstype=btrfs, > +} > diff --git a/config/apparmor/profiles/lxc-default-with-nesting > b/config/apparmor/profiles/lxc-default-with-nesting > new file mode 100644 > index 0000000..245f2f8 > --- /dev/null > +++ b/config/apparmor/profiles/lxc-default-with-nesting > @@ -0,0 +1,13 @@ > +# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which > +# will source all profiles under /etc/apparmor.d/lxc > + > +profile lxc-container-default-with-nesting > flags=(attach_disconnected,mediate_deleted) { > + #include <abstractions/lxc/container-base> > + #include <abstractions/lxc/start-container> > + > + mount fstype=cgroup -> /sys/fs/cgroup/**, > + > + mount fstype=proc -> /var/cache/lxc/**, > + mount fstype=sysfs -> /var/cache/lxc/**, > + mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> > /var/cache/lxc/**/run/shm/, > +} > diff --git a/config/apparmor/usr.bin.lxc-start > b/config/apparmor/usr.bin.lxc-start > new file mode 100644 > index 0000000..2f87cdd > --- /dev/null > +++ b/config/apparmor/usr.bin.lxc-start > @@ -0,0 +1,5 @@ > +#include <tunables/global> > + > +/usr/bin/lxc-start flags=(attach_disconnected) { > + #include <abstractions/lxc/start-container> > +} > diff --git a/configure.ac b/configure.ac > index 6b93299..090ee16 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -547,6 +547,7 @@ AC_CONFIG_FILES([ > lxc.spec > > config/Makefile > + config/apparmor/Makefile > config/init/Makefile > config/init/sysvinit/Makefile > config/init/systemd/Makefile > -- > 1.8.5.2 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
