subject:"Bug#788656\: lxc\-start does not switch into AppArmor profiles for containers"

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

2015-06-21 Thread Jason Briggs

Upon further check I can confirm the message written by intrigeri in 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750106#117

With:
lxc-start -n myvm -l INFO -o ~/lxc_log.log

my container logs:
  lxc-start 1434864946.838 INFO lxc_lsm - LSM security driver nop

It must be because of this code in apparmor.c in lxc source (1.0.6-6):

#define AA_DEF_PROFILE lxc-container-default
#define AA_MOUNT_RESTR /sys/kernel/security/apparmor/features/mount/mask
#define AA_ENABLED_FILE /sys/module/apparmor/parameters/enabled

/* aa_getcon is not working right now.  Use our hand-rolled version below */
static int apparmor_enabled(void)
{
struct stat statbuf;
FILE *fin;
char e;
int ret;

ret = stat(AA_MOUNT_RESTR, statbuf);
if (ret != 0)
return 0;
fin = fopen(AA_ENABLED_FILE, r);
if (!fin)
return 0;
ret = fscanf(fin, %c, e);
fclose(fin);
if (ret == 1  e == 'Y')
return 1;
return 0;
}

when this returns false, it uses the nop lsm driver instead of apparmor.

/sys/kernel/security/apparmor/features/mount/mask is not on my system, ie no 
mount rules in this apparmor version,
so this must return false. On the ubuntu system, the file is present so it 
works.

so jessie apparmor still misses mount rules, even though it says it's package 
2.9.0-3.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

2015-06-21 Thread Jason Briggs



okay sorry I missed a message in the other bug where it says this is apparmor 
kernel bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750106#102 . You 
can see the content of 
kernel-patches/3.12/0003-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
 in the apparmor-2.9.0 sources isn't applied in the linux-3.16.7-ckt11 debian 
kernel sources. I will have to use ubuntu. thanks anyway.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

2015-06-14 Thread Jason Briggs



It still happens with the packages apparmor, apparmor-utils, apparmor-profiles, 
lxc from Sid installed in Jessie (after purged the old ones):
apparmor   2.9.2-3  amd64
lxc1:1.0.7-3

At the time I could not get a fresh Stretch/Sid install to work so could not 
test that.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

2015-06-13 Thread Jason Briggs

Minor correction to report, It shows lxc-container-default as not loaded 
means to say It shows lxc-container-default as not loaded for the process 
(the profile itself is loaded but not applied).

In Jessie the package versions are:
lxc  1:1.0.6-6 amd64
apparmor 2.9.0-3   amd64

In the Ubuntu (LTS), the packages are these versions:
lxc 1.0.7-0ubuntu0.1   amd64
apparmor2.8.95~2430-0ubuntu5.1  
amd64 

I also stumbled onto this message, only after reporting this bug (search failed 
me):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750106#117
 According to John Goerzen's report upstream, lxc-start is confined, 
 but apparently the container is not. That might be a bug in our  
 apparmor package. John, may you please check if processes inside   
 the container are confined (e.g. the shell from which you're   writing to 
 /proc/sys/fs/...)?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

2015-06-13 Thread Pat Roberts

Package: lxc
Version: 1:1.0.6-6
Severity: important

Dear Maintainer,

lxc-start does not seem to switch lxc containers to the default profile.
aa-status reports lxc-start keeping the 'lxc-start' profile after the container
has launched.

I installed packages lxc, apparmor, apparmor-utils, apparmor-profiles* on 
jessie, fully patched.
AppArmor works fine for libvirt (qemu/kvm machine profiles) and all others. 

I created:
lxc-create -n myvm -t debian -- -r jessie
executed:
lxc-start -n myvm

However, when I run aa-status, the output is:

apparmor module is loaded.
68 profiles are loaded.
31 profiles are in enforce mode.
   [...]
   /usr/bin/lxc-start
   [...]
   lxc-container-default
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
37 profiles are in complain mode.
   [...]
18 processes have profiles defined.
14 processes are in enforce mode.
   /usr/bin/lxc-start (2596) 
   /usr/bin/lxc-start (2598) 
   /usr/bin/lxc-start (2620) 
   /usr/bin/lxc-start (2687) 
   /usr/bin/lxc-start (2693) 
   /usr/bin/lxc-start (2694) 
   /usr/bin/lxc-start (2695) 
   /usr/bin/lxc-start (2696) 
   /usr/bin/lxc-start (2697) 
   /usr/bin/lxc-start (3572) 
   /usr/bin/lxc-start (3573) 
   /usr/sbin/cups-browsed (1214) 
   /usr/sbin/cupsd (1210) 
   /usr/sbin/libvirtd (1166) 
4 processes are in complain mode.
   [...]
0 processes are unconfined but have a profile defined.

It shows lxc-container-default as not loaded.

Setting lxc.aa_profile = unconfined|lxc-container-default|lxc-default
in /var/lib/lxc/myvm/config all produce the same result.

I compared this to a Ubuntu installation with roughly the same steps.
Its output is:

21 processes are in enforce mode.
   /sbin/dhclient (897) 
   /usr/bin/lxc-start (2348) 
   /usr/sbin/cups-browsed (583) 
   /usr/sbin/cupsd (546) 
   lxc-container-default (2356) 
   lxc-container-default (2547) 
   lxc-container-default (2569) 
   lxc-container-default (2665) 
   lxc-container-default (2679) 
   lxc-container-default (2680) 
   lxc-container-default (2686) 
   lxc-container-default (2728) 
   lxc-container-default (2733) 
   lxc-container-default (2752) 
   lxc-container-default (2754) 
   lxc-container-default (2755) 
   lxc-container-default (2764) 
   lxc-container-default (2784) 
   lxc-container-default (2795) 
   lxc-container-default (2796) 
   lxc-container-default (2799) 
2 processes are in complain mode.

That is what I would expect.

So going by aa-status it appears LXC isn't switching to the container profile 
in Jessie. Unless I'm missing a package this would be a security issue.

Couldn't find a specific in the logs but it's not my forte.

Thank you


-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lxc depends on:
ii  init-system-helpers  1.22
ii  libapparmor1 2.9.0-3
ii  libc62.19-18
ii  libcap2  1:2.24-8
ii  libseccomp2  2.1.1-1
ii  libselinux1  2.3-2
ii  multiarch-support2.19-18
ii  python3  3.4.2-2

Versions of packages lxc recommends:
ii  debootstrap  1.0.67
ii  openssl  1.0.1k-3+deb8u1
ii  rsync3.1.1-3

Versions of packages lxc suggests:
pn  lua5.2  none

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

Bug#788656: lxc-start does not switch into AppArmor profiles for containers

5 matches

Site Navigation

Mail list logo

Footer information