Am Dienstag, den 05.08.2014, 16:07 +0000 schrieb Serge Hallyn: > What you say makes sense. What do you think of the following (untested) > patch? > > From 05864ae7f8b42724fb15ddea8a6d3d3ea9cf8749 Mon Sep 17 00:00:00 2001 > From: Serge Hallyn <serge.hal...@ubuntu.com> > Date: Tue, 5 Aug 2014 11:01:55 -0500 > Subject: [PATCH 1/1] apparmor: only warn if mount restrictions lacking > > Up to now we've refused to load apparmor profiles if mount > restrictions are missing. With this patch, we'll only warn > but continue loading the profile. > > Lack of mount restrictions allows malicious container users > to work around file restrictions by say remounting /proc. > However, as Tom points out containers with no cap_sys_admin > are not vulnerable to this. So it doesn't make sense to not > allow them to use apparmor as well. > > Reported-by: Tom Weber <l_lxc-us...@mail2news.4t2.com> > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> > --- > src/lxc/lsm/apparmor.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c > index f4c8d26..e730aba 100644 > --- a/src/lxc/lsm/apparmor.c > +++ b/src/lxc/lsm/apparmor.c > @@ -48,8 +48,10 @@ static int apparmor_enabled(void) > int ret; > > ret = stat(AA_MOUNT_RESTR, &statbuf); > - if (ret != 0) > - return 0; > + if (ret != 0) { > + WARN("WARNING: Apparmor ount restrictions missing from kernel"); > + WARN("WARNING: mount restrictions will not be enforced"); > + } > fin = fopen(AA_ENABLED_FILE, "r"); > if (!fin) > return 0;
The patch works in the regard that the container starts and the apparmor profile is set. But I can't find the Warning message anywhere (tried lxc-start -n webv1 -d -l DEBUG) - but maybe thats a more general problem. Oh, and there is a typo: Apparmor ount My opinion as an admin is that this check isn't needed in lxc itself. Apparmor spits a warning during aa lxc-profile loading - sane admins wouldn't ignore this. If one messes with the aa lxc-profiles and disables the mount restrictions there, your check wont help (or report) anything - even on a kernel with mount restriction patch. All you can do is provide sane aa profiles in the lxc package - the rest is aa related business, not lxc related. But thats just my oponion. Thanks alot for the quick patch! Tom _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users