[lxc-devel] [lxd/master] Apparmor

[stgraber on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2431

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===


From 6fcacc181f006565033d3565b5070106253bd810 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 27 Sep 2016 16:06:53 -0400
Subject: [PATCH 1/3] apparmor: Block /sys/kernel when no stacking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/apparmor.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index 1b1d78a..802a789 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -338,6 +338,9 @@ func getAAProfileContent(c container) string {
 `
                        profile += fmt.Sprintf("  change_profile -> 
\":%s://*\",\n", AANamespace(c))
                }
+       } else {
+               profile += "\n  ### Feature: apparmor stacking (not present)\n"
+               profile += "  deny /sys/k*{,/**} rwklx,\n"
        }
 
        if c.IsNesting() {

From 9f4a96dc3b89fa7bd4cc8e6b9e46319ae205cdd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 27 Sep 2016 17:34:36 -0400
Subject: [PATCH 2/3] snappy: Add /snap/bin to PATH if present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/container_exec.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lxd/container_exec.go b/lxd/container_exec.go
index c42ba96..ec62d6e 100644
--- a/lxd/container_exec.go
+++ b/lxd/container_exec.go
@@ -282,6 +282,14 @@ func containerExecPost(d *Daemon, r *http.Request) 
Response {
                }
        }
 
+       _, ok := env["PATH"]
+       if !ok {
+               env["PATH"] = 
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+               if shared.PathExists(fmt.Sprintf("%s/snap/bin", 
c.RootfsPath())) {
+                       env["PATH"] = fmt.Sprintf("%s:/snap/bin", env["PATH"])
+               }
+       }
+
        if post.WaitForWS {
                ws := &execWs{}
                ws.fds = map[int]string{}

From 82784db5d24c67dc7323cb0c771409bab4afda8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 27 Sep 2016 19:37:47 -0400
Subject: [PATCH 3/3] apparmor: Be less restrictive when unprivileged
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This change allows:
 - Various remount of /
 - pivot_root inside the container
 - All bind mounts

This can be used to bypass a bunch of our apparmor restrictions and so
would be completely unacceptable for privileged containers. But since we
use apparmor mostly as an added safety net for unpriivleged containers,
this should be fine.

Those changes should help running snapd inside a container.

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/apparmor.go | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index 802a789..cd4ac6c 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -250,6 +250,22 @@ const AA_PROFILE_NESTING = `
   mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**,
 `
 
+const AA_PROFILE_UNPRIVILEGED = `
+  pivot_root,
+
+  mount options=(rw,make-slave) -> **,
+  mount options=(rw,make-rslave) -> **,
+  mount options=(rw,make-shared) -> **,
+  mount options=(rw,make-rshared) -> **,
+  mount options=(rw,make-private) -> **,
+  mount options=(rw,make-rprivate) -> **,
+  mount options=(rw,make-unbindable) -> **,
+  mount options=(rw,make-runbindable) -> **,
+
+  mount options=(rw,bind),
+  mount options=(rw,rbind),
+`
+
 func mkApparmorName(name string) string {
        if len(name)+7 >= 253 {
                hash := sha256.New()
@@ -352,6 +368,12 @@ func getAAProfileContent(c container) string {
                }
        }
 
+       if !c.IsPrivileged() {
+               // Apply unprivileged bits
+               profile += "\n  ### Configuration: unprivileged containers\n"
+               profile += strings.TrimLeft(AA_PROFILE_UNPRIVILEGED, "\n")
+       }
+
        // Append raw.apparmor
        rawApparmor, ok := c.ExpandedConfig()["raw.apparmor"]
        if ok {

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel