On Wed, Nov 04, 2020 at 11:31:54AM -0500, swarna latha wrote: > 1. My process will be using a set of libraries and these libraries might be > writing to some files in the rootfs or need some capabs. I dont see this > files/capabs in my apparmor logs. Is this expected behaviour ?
Hello Swarna, you'll need to give a lot more information for useful feedback. What kernel are you using? What container system are you using? How are you loading the profiles? What profiles are you loading? Can you see the loading messages in the logs? Have you confirmed with simple test programs that AppArmor is working at all in your environment? > 2. Is there any limitation for apparmor to monitor applications running in > container or is it the same as an application running in the host ? There's some subtlety to working with AppArmor in containers, yes; for example, the chromium sandbox uses unprivileged user namespaces and then proceeds to use capabilities 'within' that new user namespace. These aren't "real" capabilities from the perspective of the outside world, they shouldn't grant undue privileges to do things outside the container, but within the container they should kind of work. Here's some examples: root@u20:/# mkdir /tmp/foo ; chmod 000 /tmp/foo root@u20:/# echo "include <tunables/global> profile test { include <abstractions/base> /usr/bin/* rmix, /etc/** r, }" | apparmor_parser --replace root@u20:/# aa-exec -p test cat /etc/shadow root:*:18478:0:99999:7::: [...] root@u20:/# aa-exec -p test cat /root/.bashrc cat: /root/.bashrc: Permission denied root@u20:/# aa-exec -p test ls -l /tmp/foo ls: cannot open directory '/tmp/foo': Permission denied Within the container: root@u20:/# ps auxwZ | grep sleep test (enforce) root 1348 0.0 0.0 7228 460 pts/0 S 20:39 0:00 sleep 100 unconfined root 1353 0.0 0.0 8160 576 pts/0 S+ 20:41 0:00 grep --color=auto sleep Outside the container: sarnold@millbarge:~$ ps auxwZ | grep sleep lxd-u20_</var/snap/lxd/common/lxd>//&:lxd-u20_<var-snap-lxd-common-lxd>:test (enforce) 1000000 410011 0.0 0.0 7228 460 pts/0 S 20:39 0:00 sleep 100 unconfined sarnold 410547 0.0 0.0 6772 568 pts/2 S+ 20:40 0:00 grep --color=auto sleep And AppArmor has logged these events: sarnold@millbarge:~$ grep -e 'DENIED.*u20' -e 'operation="profile_load"' /var/log/audit/audit.log | tail -4 type=AVC msg=audit(1604521212.527:644468): apparmor="STATUS" operation="profile_load" label="lxd-u20_</var/snap/lxd/common/lxd>//&:lxd-u20_<var-snap-lxd-common-lxd>:unconfined" name="test" pid=398872 comm="apparmor_parser" type=AVC msg=audit(1604521274.330:644469): apparmor="DENIED" operation="open" namespace="root//lxd-u20_<var-snap-lxd-common-lxd>" profile="test" name="/root/.bashrc" pid=399475 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 type=AVC msg=audit(1604521708.134:644474): apparmor="DENIED" operation="capable" namespace="root//lxd-u20_<var-snap-lxd-common-lxd>" profile="test" pid=403302 comm="ls" capability=2 capname="dac_read_search" type=AVC msg=audit(1604521708.134:644474): apparmor="DENIED" operation="capable" namespace="root//lxd-u20_<var-snap-lxd-common-lxd>" profile="test" pid=403302 comm="ls" capability=1 capname="dac_override" sarnold@millbarge:~$ uname -a Linux millbarge 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor