On Wed, Nov 04, 2020 at 11:31:54AM -0500, swarna latha wrote: > 1. My process will be using a set of libraries and these libraries might be > writing to some files in the rootfs or need some capabs. I dont see this > files/capabs in my apparmor logs. Is this expected behaviour ?
Hello Swarna, you'll need to give a lot more information for useful
feedback. What kernel are you using? What container system are you using?
How are you loading the profiles? What profiles are you loading? Can you
see the loading messages in the logs? Have you confirmed with simple test
programs that AppArmor is working at all in your environment?
> 2. Is there any limitation for apparmor to monitor applications running in
> container or is it the same as an application running in the host ?
There's some subtlety to working with AppArmor in containers, yes; for
example, the chromium sandbox uses unprivileged user namespaces and then
proceeds to use capabilities 'within' that new user namespace. These
aren't "real" capabilities from the perspective of the outside world, they
shouldn't grant undue privileges to do things outside the container,
but within the container they should kind of work.
Here's some examples:
root@u20:/# mkdir /tmp/foo ; chmod 000 /tmp/foo
root@u20:/# echo "include <tunables/global> profile test { include
<abstractions/base> /usr/bin/* rmix, /etc/** r, }" | apparmor_parser --replace
root@u20:/# aa-exec -p test cat /etc/shadow
root:*:18478:0:99999:7:::
[...]
root@u20:/# aa-exec -p test cat /root/.bashrc
cat: /root/.bashrc: Permission denied
root@u20:/# aa-exec -p test ls -l /tmp/foo
ls: cannot open directory '/tmp/foo': Permission denied
Within the container:
root@u20:/# ps auxwZ | grep sleep
test (enforce) root 1348 0.0 0.0 7228 460 pts/0
S 20:39 0:00 sleep 100
unconfined root 1353 0.0 0.0 8160 576 pts/0
S+ 20:41 0:00 grep --color=auto sleep
Outside the container:
sarnold@millbarge:~$ ps auxwZ | grep sleep
lxd-u20_</var/snap/lxd/common/lxd>//&:lxd-u20_<var-snap-lxd-common-lxd>:test
(enforce) 1000000 410011 0.0 0.0 7228 460 pts/0 S 20:39 0:00 sleep 100
unconfined sarnold 410547 0.0 0.0 6772 568 pts/2
S+ 20:40 0:00 grep --color=auto sleep
And AppArmor has logged these events:
sarnold@millbarge:~$ grep -e 'DENIED.*u20' -e 'operation="profile_load"'
/var/log/audit/audit.log | tail -4
type=AVC msg=audit(1604521212.527:644468): apparmor="STATUS"
operation="profile_load"
label="lxd-u20_</var/snap/lxd/common/lxd>//&:lxd-u20_<var-snap-lxd-common-lxd>:unconfined"
name="test" pid=398872 comm="apparmor_parser"
type=AVC msg=audit(1604521274.330:644469): apparmor="DENIED" operation="open"
namespace="root//lxd-u20_<var-snap-lxd-common-lxd>" profile="test"
name="/root/.bashrc" pid=399475 comm="cat" requested_mask="r" denied_mask="r"
fsuid=1000000 ouid=1000000
type=AVC msg=audit(1604521708.134:644474): apparmor="DENIED"
operation="capable" namespace="root//lxd-u20_<var-snap-lxd-common-lxd>"
profile="test" pid=403302 comm="ls" capability=2 capname="dac_read_search"
type=AVC msg=audit(1604521708.134:644474): apparmor="DENIED"
operation="capable" namespace="root//lxd-u20_<var-snap-lxd-common-lxd>"
profile="test" pid=403302 comm="ls" capability=1 capname="dac_override"
sarnold@millbarge:~$ uname -a
Linux millbarge 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
