The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2132
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From cf1e6bddb7adb70365c64f30a298f0a4f68152c2 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho.ander...@canonical.com>
Date: Fri, 17 Jun 2016 17:51:17 +0000
Subject: [PATCH 1/2] apparmor: create an apparmor namespace for each container
Note that this only allows privileged containers to load apparmor profiles, and
only then with something like:
diff --git a/config/apparmor/abstractions/container-base
b/config/apparmor/abstractions/container-base
index fe24ff3..7138249 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,7 +93,7 @@
mount fstype=sysfs -> /sys/,
mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
- deny /sys/kernel/security/** rwklx,
+ # deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ ->
/sys/fs/cgroup/cgmanager.lower/,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) ->
/sys/fs/cgroup/,
We'll need to do something with the permissions on
/sys/kernel/security/apparmor to allow unprivileged users to write to it. I'll
be in touch with the security team about that, but for now I don't think this
hurts anything.
Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com>
---
lxd/apparmor.go | 29 ++++++++++++++++++++---------
lxd/container_lxc.go | 4 +++-
test/suites/basic.sh | 5 +++--
3 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index ce25c50..2dabab9 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -49,7 +49,7 @@ const NESTING_AA_PROFILE = `
const DEFAULT_AA_PROFILE = `
#include <tunables/global>
-profile "%s" flags=(attach_disconnected,mediate_deleted) {
+profile "lxd-default" flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# Special exception for cgroup namespaces
@@ -60,11 +60,14 @@ profile "%s" flags=(attach_disconnected,mediate_deleted) {
# nesting support goes here if needed
%s
- change_profile -> "%s",
+ change_profile -> ":%s://*",
}`
-func AAProfileFull(c container) string {
- lxddir := shared.VarPath("")
+func AANamespace(c container) string {
+ /* / is not allowed in apparmor namespace names; let's also trim the
+ * leading / so it doesn't look like "-var-lib-lxd"
+ */
+ lxddir := strings.Replace(shared.VarPath("")[1:], "/", "-", -1)
if len(c.Name())+len(lxddir)+7 >= 253 {
hash := sha256.New()
io.WriteString(hash, lxddir)
@@ -74,6 +77,10 @@ func AAProfileFull(c container) string {
return fmt.Sprintf("lxd-%s_<%s>", c.Name(), lxddir)
}
+func AAProfileFull(c container) string {
+ return fmt.Sprintf(":%s://lxd-default", AANamespace(c))
+}
+
func AAProfileShort(c container) string {
return fmt.Sprintf("lxd-%s", c.Name())
}
@@ -99,7 +106,7 @@ func getAAProfileContent(c container) string {
nesting = NESTING_AA_PROFILE
}
- return fmt.Sprintf(DEFAULT_AA_PROFILE, AAProfileFull(c),
AAProfileCgns(), rawApparmor, nesting, AAProfileFull(c))
+ return fmt.Sprintf(DEFAULT_AA_PROFILE, AAProfileCgns(), rawApparmor,
nesting, AANamespace(c))
}
func runApparmor(command string, c container) error {
@@ -108,6 +115,8 @@ func runApparmor(command string, c container) error {
}
cmd := exec.Command("apparmor_parser", []string{
+ "-n",
+ AANamespace(c),
fmt.Sprintf("-%sWL", command),
path.Join(aaPath, "cache"),
path.Join(aaPath, "profiles", AAProfileShort(c)),
@@ -165,14 +174,16 @@ func AALoadProfile(c container) error {
return runApparmor(APPARMOR_CMD_LOAD, c)
}
-// Ensure that the container's policy is unloaded to free kernel memory. This
-// does not delete the policy from disk or cache.
-func AAUnloadProfile(c container) error {
+// Ensure that the container's policy namespace is unloaded to free kernel
+// memory. This does not delete the policy from disk or cache.
+func AADestroyNamespace(c container) error {
if !aaAdmin {
return nil
}
- return runApparmor(APPARMOR_CMD_UNLOAD, c)
+ content := []byte(fmt.Sprintf(":%s:", AANamespace(c)))
+
+ return ioutil.WriteFile("/sys/kernel/security/apparmor/.remove",
content, 0)
}
// Parse the profile without loading it into the kernel.
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 24ff128..969ffab 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1423,7 +1423,9 @@ func (c *containerLXC) OnStop(target string) error {
}
// Unload the apparmor profile
- AAUnloadProfile(c)
+ if err := AADestroyNamespace(c); err != nil {
+ shared.Log.Error("failed to destroy apparmor namespace",
log.Ctx{"container": c.Name(), "err": err})
+ }
// FIXME: The go routine can go away once we can rely on LXC_TARGET
go func(c *containerLXC, target string, wg *sync.WaitGroup) {
diff --git a/test/suites/basic.sh b/test/suites/basic.sh
index 7e4f915..d2780e6 100644
--- a/test/suites/basic.sh
+++ b/test/suites/basic.sh
@@ -299,9 +299,10 @@ test_basic_usage() {
# check that an apparmor profile is created for this container, that it is
# unloaded on stop, and that it is deleted when the container is deleted
lxc launch testimage lxd-apparmor-test
- aa-status | grep "lxd-lxd-apparmor-test_<${LXD_DIR}>"
+ aa_namespace="lxd-lxd-apparmor-test_<$(echo ${LXD_DIR} | sed -e 's/\//-/g'
-e 's/^.//')>"
+ aa-status | grep ":${aa_namespace}://lxd-default"
lxc stop lxd-apparmor-test --force
- ! aa-status | grep -q "lxd-lxd-apparmor-test_<${LXD_DIR}>"
+ ! aa-status | grep -q ":${aa_namespace}://lxd-default"
lxc delete lxd-apparmor-test
[ ! -f "${LXD_DIR}/security/apparmor/profiles/lxd-lxd-apparmor-test" ]
From 9a0d3ac58d281d5bd67932247e52a6923b1b2d64 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho.ander...@canonical.com>
Date: Fri, 17 Jun 2016 18:12:46 +0000
Subject: [PATCH 2/2] tests: fix hang
lxc asks about the fingerprint more now, so let's tell it that fingerprint
is okay.
Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com>
---
test/main.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/main.sh b/test/main.sh
index 8fb8476..532e7d9 100755
--- a/test/main.sh
+++ b/test/main.sh
@@ -138,7 +138,7 @@ gen_cert() {
[ -f "${LXD_CONF}/${1}.crt" ] && return
mv "${LXD_CONF}/client.crt" "${LXD_CONF}/client.crt.bak"
mv "${LXD_CONF}/client.key" "${LXD_CONF}/client.key.bak"
- lxc_remote remote add "$(uuidgen)" https://0.0.0.0 || true
+ echo y | lxc_remote remote add "$(uuidgen)" https://0.0.0.0 || true
mv "${LXD_CONF}/client.crt" "${LXD_CONF}/${1}.crt"
mv "${LXD_CONF}/client.key" "${LXD_CONF}/${1}.key"
mv "${LXD_CONF}/client.crt.bak" "${LXD_CONF}/client.crt"
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
