The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2132
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From cf1e6bddb7adb70365c64f30a298f0a4f68152c2 Mon Sep 17 00:00:00 2001 From: Tycho Andersen <tycho.ander...@canonical.com> Date: Fri, 17 Jun 2016 17:51:17 +0000 Subject: [PATCH 1/2] apparmor: create an apparmor namespace for each container Note that this only allows privileged containers to load apparmor profiles, and only then with something like: diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index fe24ff3..7138249 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -93,7 +93,7 @@ mount fstype=sysfs -> /sys/, mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, + # deny /sys/kernel/security/** rwklx, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, We'll need to do something with the permissions on /sys/kernel/security/apparmor to allow unprivileged users to write to it. I'll be in touch with the security team about that, but for now I don't think this hurts anything. Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com> --- lxd/apparmor.go | 29 ++++++++++++++++++++--------- lxd/container_lxc.go | 4 +++- test/suites/basic.sh | 5 +++-- 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/lxd/apparmor.go b/lxd/apparmor.go index ce25c50..2dabab9 100644 --- a/lxd/apparmor.go +++ b/lxd/apparmor.go @@ -49,7 +49,7 @@ const NESTING_AA_PROFILE = ` const DEFAULT_AA_PROFILE = ` #include <tunables/global> -profile "%s" flags=(attach_disconnected,mediate_deleted) { +profile "lxd-default" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> # Special exception for cgroup namespaces @@ -60,11 +60,14 @@ profile "%s" flags=(attach_disconnected,mediate_deleted) { # nesting support goes here if needed %s - change_profile -> "%s", + change_profile -> ":%s://*", }` -func AAProfileFull(c container) string { - lxddir := shared.VarPath("") +func AANamespace(c container) string { + /* / is not allowed in apparmor namespace names; let's also trim the + * leading / so it doesn't look like "-var-lib-lxd" + */ + lxddir := strings.Replace(shared.VarPath("")[1:], "/", "-", -1) if len(c.Name())+len(lxddir)+7 >= 253 { hash := sha256.New() io.WriteString(hash, lxddir) @@ -74,6 +77,10 @@ func AAProfileFull(c container) string { return fmt.Sprintf("lxd-%s_<%s>", c.Name(), lxddir) } +func AAProfileFull(c container) string { + return fmt.Sprintf(":%s://lxd-default", AANamespace(c)) +} + func AAProfileShort(c container) string { return fmt.Sprintf("lxd-%s", c.Name()) } @@ -99,7 +106,7 @@ func getAAProfileContent(c container) string { nesting = NESTING_AA_PROFILE } - return fmt.Sprintf(DEFAULT_AA_PROFILE, AAProfileFull(c), AAProfileCgns(), rawApparmor, nesting, AAProfileFull(c)) + return fmt.Sprintf(DEFAULT_AA_PROFILE, AAProfileCgns(), rawApparmor, nesting, AANamespace(c)) } func runApparmor(command string, c container) error { @@ -108,6 +115,8 @@ func runApparmor(command string, c container) error { } cmd := exec.Command("apparmor_parser", []string{ + "-n", + AANamespace(c), fmt.Sprintf("-%sWL", command), path.Join(aaPath, "cache"), path.Join(aaPath, "profiles", AAProfileShort(c)), @@ -165,14 +174,16 @@ func AALoadProfile(c container) error { return runApparmor(APPARMOR_CMD_LOAD, c) } -// Ensure that the container's policy is unloaded to free kernel memory. This -// does not delete the policy from disk or cache. -func AAUnloadProfile(c container) error { +// Ensure that the container's policy namespace is unloaded to free kernel +// memory. This does not delete the policy from disk or cache. +func AADestroyNamespace(c container) error { if !aaAdmin { return nil } - return runApparmor(APPARMOR_CMD_UNLOAD, c) + content := []byte(fmt.Sprintf(":%s:", AANamespace(c))) + + return ioutil.WriteFile("/sys/kernel/security/apparmor/.remove", content, 0) } // Parse the profile without loading it into the kernel. diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 24ff128..969ffab 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -1423,7 +1423,9 @@ func (c *containerLXC) OnStop(target string) error { } // Unload the apparmor profile - AAUnloadProfile(c) + if err := AADestroyNamespace(c); err != nil { + shared.Log.Error("failed to destroy apparmor namespace", log.Ctx{"container": c.Name(), "err": err}) + } // FIXME: The go routine can go away once we can rely on LXC_TARGET go func(c *containerLXC, target string, wg *sync.WaitGroup) { diff --git a/test/suites/basic.sh b/test/suites/basic.sh index 7e4f915..d2780e6 100644 --- a/test/suites/basic.sh +++ b/test/suites/basic.sh @@ -299,9 +299,10 @@ test_basic_usage() { # check that an apparmor profile is created for this container, that it is # unloaded on stop, and that it is deleted when the container is deleted lxc launch testimage lxd-apparmor-test - aa-status | grep "lxd-lxd-apparmor-test_<${LXD_DIR}>" + aa_namespace="lxd-lxd-apparmor-test_<$(echo ${LXD_DIR} | sed -e 's/\//-/g' -e 's/^.//')>" + aa-status | grep ":${aa_namespace}://lxd-default" lxc stop lxd-apparmor-test --force - ! aa-status | grep -q "lxd-lxd-apparmor-test_<${LXD_DIR}>" + ! aa-status | grep -q ":${aa_namespace}://lxd-default" lxc delete lxd-apparmor-test [ ! -f "${LXD_DIR}/security/apparmor/profiles/lxd-lxd-apparmor-test" ] From 9a0d3ac58d281d5bd67932247e52a6923b1b2d64 Mon Sep 17 00:00:00 2001 From: Tycho Andersen <tycho.ander...@canonical.com> Date: Fri, 17 Jun 2016 18:12:46 +0000 Subject: [PATCH 2/2] tests: fix hang lxc asks about the fingerprint more now, so let's tell it that fingerprint is okay. Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com> --- test/main.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/main.sh b/test/main.sh index 8fb8476..532e7d9 100755 --- a/test/main.sh +++ b/test/main.sh @@ -138,7 +138,7 @@ gen_cert() { [ -f "${LXD_CONF}/${1}.crt" ] && return mv "${LXD_CONF}/client.crt" "${LXD_CONF}/client.crt.bak" mv "${LXD_CONF}/client.key" "${LXD_CONF}/client.key.bak" - lxc_remote remote add "$(uuidgen)" https://0.0.0.0 || true + echo y | lxc_remote remote add "$(uuidgen)" https://0.0.0.0 || true mv "${LXD_CONF}/client.crt" "${LXD_CONF}/${1}.crt" mv "${LXD_CONF}/client.key" "${LXD_CONF}/${1}.key" mv "${LXD_CONF}/client.crt.bak" "${LXD_CONF}/client.crt"
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel