Quoting Tom Weber ([email protected]): > Hello, > > my setup: > debian7 > lxc-1.0.4 from debian testing > vanilla kernel.org kernel 3.14.14 > > i'm new to lxc and apparmor, so this took me a couple of hours to > figure: > lxc-start won't assign an apparmor-profile to a container since it's > test for apparmor will always fail on my setup: > in src/lxc/lsm/apparmor: > the apparmor_enabled() tests for AA_MOUNT_RESTR > (/sys/kernel/security/apparmor/features/mount/mask) first, which will > never exist without that apparmor mount patch in the kernel. > > commenting out that test gives me apparmor functionality (except for > that mount feature of course). > > Is that intentional or just an ancient relict? > I'd prefer to have apparmor profile support without mount restrictions > over no apparmor profile support at all. apparmor gives me warnings > like: > > Warning from /etc/apparmor.d/lxc-containers (/etc/apparmor.d/lxc-containers > line 8): profile lxc-container-default mount rules not enforced > > when starting up, which is what I expect and something I can deal with > as admin. I think lxc-start should activate the requested profile > anyway. > > Oh, and a little log message wether lxc-start detected apparmor or not > and activates it would be _very_ helpfull :) > > related question: dropping sys_admin cap for the container should render > all the mount protections from apparmor unnecessary, right?
What you say makes sense. What do you think of the following (untested) patch? From 05864ae7f8b42724fb15ddea8a6d3d3ea9cf8749 Mon Sep 17 00:00:00 2001 From: Serge Hallyn <[email protected]> Date: Tue, 5 Aug 2014 11:01:55 -0500 Subject: [PATCH 1/1] apparmor: only warn if mount restrictions lacking Up to now we've refused to load apparmor profiles if mount restrictions are missing. With this patch, we'll only warn but continue loading the profile. Lack of mount restrictions allows malicious container users to work around file restrictions by say remounting /proc. However, as Tom points out containers with no cap_sys_admin are not vulnerable to this. So it doesn't make sense to not allow them to use apparmor as well. Reported-by: Tom Weber <[email protected]> Signed-off-by: Serge Hallyn <[email protected]> --- src/lxc/lsm/apparmor.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index f4c8d26..e730aba 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -48,8 +48,10 @@ static int apparmor_enabled(void) int ret; ret = stat(AA_MOUNT_RESTR, &statbuf); - if (ret != 0) - return 0; + if (ret != 0) { + WARN("WARNING: Apparmor ount restrictions missing from kernel"); + WARN("WARNING: mount restrictions will not be enforced"); + } fin = fopen(AA_ENABLED_FILE, "r"); if (!fin) return 0; -- 2.0.1 _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
