[Touch-packages] [Bug 1652101] Re: Can't create nested AppArmor namespaces
** Tags added: cscc
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1652101
Title:
Can't create nested AppArmor namespaces
Status in AppArmor:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
A user with CAP_MAC_ADMIN in the init namespace can create an AppArmor
policy namespace and load a profile belonging to that AppArmor
namespace. Once that's done, the user can confine a process with that
namespaced AppArmor profile and enter into a user namespace. That
process can then load additional AppArmor profiles inside of the
AppArmor and user namespace. Here's an example:
We need to set up the namespace, n1, and load the profile, p1.
$ export rules="file, signal, unix, dbus, ptrace, mount, pivot_root,
capability,"
$ sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/n1
$ echo "profile p1 { $rules }" | sudo apparmor_parser -qrn n1
Now we enter into confinement using the AppArmor namespace and profile and
then enter into an unprivileged user namespace
$ aa-exec -n n1 -p p1 -- unshare -Ur
We can now load profiles as the privileged user inside of the unprivileged
user namespace
# echo "profile test {}" | apparmor_parser -qr
The reason for this bug report is that we cannot create a nested
AppArmor policy namespace inside of the unprivileged user namespace
# mkdir /sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1
mkdir: cannot create directory
‘/sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1’: Permission
denied
If that worked, we could adjust LXD to read
/sys/kernel/security/apparmor/.ns_name to get the current AppArmor
namespace, then create a new namespace under the current namespace,
and leverage the nested namespace for its nested containers.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1652101/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652101] Re: Can't create nested AppArmor namespaces
It is fixed to the degree it can be fixed until upstream agrees on
changes in the LSM layer.
The apparmor devs certainly can do the work of proposing new hooks, etc
that are necessary but it hasn't been the highest priority item. I will
note that this is a high priority item, just that others have been
ranked higher.
There is hope that someone can return to this soon.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1652101
Title:
Can't create nested AppArmor namespaces
Status in AppArmor:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
A user with CAP_MAC_ADMIN in the init namespace can create an AppArmor
policy namespace and load a profile belonging to that AppArmor
namespace. Once that's done, the user can confine a process with that
namespaced AppArmor profile and enter into a user namespace. That
process can then load additional AppArmor profiles inside of the
AppArmor and user namespace. Here's an example:
We need to set up the namespace, n1, and load the profile, p1.
$ export rules="file, signal, unix, dbus, ptrace, mount, pivot_root,
capability,"
$ sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/n1
$ echo "profile p1 { $rules }" | sudo apparmor_parser -qrn n1
Now we enter into confinement using the AppArmor namespace and profile and
then enter into an unprivileged user namespace
$ aa-exec -n n1 -p p1 -- unshare -Ur
We can now load profiles as the privileged user inside of the unprivileged
user namespace
# echo "profile test {}" | apparmor_parser -qr
The reason for this bug report is that we cannot create a nested
AppArmor policy namespace inside of the unprivileged user namespace
# mkdir /sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1
mkdir: cannot create directory
‘/sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1’: Permission
denied
If that worked, we could adjust LXD to read
/sys/kernel/security/apparmor/.ns_name to get the current AppArmor
namespace, then create a new namespace under the current namespace,
and leverage the nested namespace for its nested containers.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1652101/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652101] Re: Can't create nested AppArmor namespaces
how does this get assigned to someone so it might get fixed?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1652101
Title:
Can't create nested AppArmor namespaces
Status in AppArmor:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
A user with CAP_MAC_ADMIN in the init namespace can create an AppArmor
policy namespace and load a profile belonging to that AppArmor
namespace. Once that's done, the user can confine a process with that
namespaced AppArmor profile and enter into a user namespace. That
process can then load additional AppArmor profiles inside of the
AppArmor and user namespace. Here's an example:
We need to set up the namespace, n1, and load the profile, p1.
$ export rules="file, signal, unix, dbus, ptrace, mount, pivot_root,
capability,"
$ sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/n1
$ echo "profile p1 { $rules }" | sudo apparmor_parser -qrn n1
Now we enter into confinement using the AppArmor namespace and profile and
then enter into an unprivileged user namespace
$ aa-exec -n n1 -p p1 -- unshare -Ur
We can now load profiles as the privileged user inside of the unprivileged
user namespace
# echo "profile test {}" | apparmor_parser -qr
The reason for this bug report is that we cannot create a nested
AppArmor policy namespace inside of the unprivileged user namespace
# mkdir /sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1
mkdir: cannot create directory
‘/sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1’: Permission
denied
If that worked, we could adjust LXD to read
/sys/kernel/security/apparmor/.ns_name to get the current AppArmor
namespace, then create a new namespace under the current namespace,
and leverage the nested namespace for its nested containers.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1652101/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652101] Re: Can't create nested AppArmor namespaces
>From what I understand, LXD is moving toward SNAP LXD as a default, so
not being able to run SNAP in an LXD container configured for "nesting":
re -
lxc config set security.nesting true
Is basically going to prevent LXD from being used for Nested Containers.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1652101
Title:
Can't create nested AppArmor namespaces
Status in AppArmor:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
A user with CAP_MAC_ADMIN in the init namespace can create an AppArmor
policy namespace and load a profile belonging to that AppArmor
namespace. Once that's done, the user can confine a process with that
namespaced AppArmor profile and enter into a user namespace. That
process can then load additional AppArmor profiles inside of the
AppArmor and user namespace. Here's an example:
We need to set up the namespace, n1, and load the profile, p1.
$ export rules="file, signal, unix, dbus, ptrace, mount, pivot_root,
capability,"
$ sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/n1
$ echo "profile p1 { $rules }" | sudo apparmor_parser -qrn n1
Now we enter into confinement using the AppArmor namespace and profile and
then enter into an unprivileged user namespace
$ aa-exec -n n1 -p p1 -- unshare -Ur
We can now load profiles as the privileged user inside of the unprivileged
user namespace
# echo "profile test {}" | apparmor_parser -qr
The reason for this bug report is that we cannot create a nested
AppArmor policy namespace inside of the unprivileged user namespace
# mkdir /sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1
mkdir: cannot create directory
‘/sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1’: Permission
denied
If that worked, we could adjust LXD to read
/sys/kernel/security/apparmor/.ns_name to get the current AppArmor
namespace, then create a new namespace under the current namespace,
and leverage the nested namespace for its nested containers.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1652101/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652101] Re: Can't create nested AppArmor namespaces
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => Confirmed
** Changed in: apparmor
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1652101
Title:
Can't create nested AppArmor namespaces
Status in AppArmor:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
A user with CAP_MAC_ADMIN in the init namespace can create an AppArmor
policy namespace and load a profile belonging to that AppArmor
namespace. Once that's done, the user can confine a process with that
namespaced AppArmor profile and enter into a user namespace. That
process can then load additional AppArmor profiles inside of the
AppArmor and user namespace. Here's an example:
We need to set up the namespace, n1, and load the profile, p1.
$ export rules="file, signal, unix, dbus, ptrace, mount, pivot_root,
capability,"
$ sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/n1
$ echo "profile p1 { $rules }" | sudo apparmor_parser -qrn n1
Now we enter into confinement using the AppArmor namespace and profile and
then enter into an unprivileged user namespace
$ aa-exec -n n1 -p p1 -- unshare -Ur
We can now load profiles as the privileged user inside of the unprivileged
user namespace
# echo "profile test {}" | apparmor_parser -qr
The reason for this bug report is that we cannot create a nested
AppArmor policy namespace inside of the unprivileged user namespace
# mkdir /sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1
mkdir: cannot create directory
‘/sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1’: Permission
denied
If that worked, we could adjust LXD to read
/sys/kernel/security/apparmor/.ns_name to get the current AppArmor
namespace, then create a new namespace under the current namespace,
and leverage the nested namespace for its nested containers.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1652101/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652101] Re: Can't create nested AppArmor namespaces
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1652101
Title:
Can't create nested AppArmor namespaces
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
A user with CAP_MAC_ADMIN in the init namespace can create an AppArmor
policy namespace and load a profile belonging to that AppArmor
namespace. Once that's done, the user can confine a process with that
namespaced AppArmor profile and enter into a user namespace. That
process can then load additional AppArmor profiles inside of the
AppArmor and user namespace. Here's an example:
We need to set up the namespace, n1, and load the profile, p1.
$ export rules="file, signal, unix, dbus, ptrace, mount, pivot_root,
capability,"
$ sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/n1
$ echo "profile p1 { $rules }" | sudo apparmor_parser -qrn n1
Now we enter into confinement using the AppArmor namespace and profile and
then enter into an unprivileged user namespace
$ aa-exec -n n1 -p p1 -- unshare -Ur
We can now load profiles as the privileged user inside of the unprivileged
user namespace
# echo "profile test {}" | apparmor_parser -qr
The reason for this bug report is that we cannot create a nested
AppArmor policy namespace inside of the unprivileged user namespace
# mkdir /sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1
mkdir: cannot create directory
‘/sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1’: Permission
denied
If that worked, we could adjust LXD to read
/sys/kernel/security/apparmor/.ns_name to get the current AppArmor
namespace, then create a new namespace under the current namespace,
and leverage the nested namespace for its nested containers.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652101/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1652101] Re: Can't create nested AppArmor namespaces
** Summary changed:
- Can't created nested AppArmor namespaces
+ Can't create nested AppArmor namespaces
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1652101
Title:
Can't create nested AppArmor namespaces
Status in apparmor package in Ubuntu:
New
Status in linux package in Ubuntu:
Confirmed
Bug description:
A user with CAP_MAC_ADMIN in the init namespace can create an AppArmor
policy namespace and load a profile belonging to that AppArmor
namespace. Once that's done, the user can confine a process with that
namespaced AppArmor profile and enter into a user namespace. That
process can then load additional AppArmor profiles inside of the
AppArmor and user namespace. Here's an example:
We need to set up the namespace, n1, and load the profile, p1.
$ export rules="file, signal, unix, dbus, ptrace, mount, pivot_root,
capability,"
$ sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/n1
$ echo "profile p1 { $rules }" | sudo apparmor_parser -qrn n1
Now we enter into confinement using the AppArmor namespace and profile and
then enter into an unprivileged user namespace
$ aa-exec -n n1 -p p1 -- unshare -Ur
We can now load profiles as the privileged user inside of the unprivileged
user namespace
# echo "profile test {}" | apparmor_parser -qr
The reason for this bug report is that we cannot create a nested
AppArmor policy namespace inside of the unprivileged user namespace
# mkdir /sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1
mkdir: cannot create directory
‘/sys/kernel/security/apparmor/policy/namespaces/n1/namespaces/p1’: Permission
denied
If that worked, we could adjust LXD to read
/sys/kernel/security/apparmor/.ns_name to get the current AppArmor
namespace, then create a new namespace under the current namespace,
and leverage the nested namespace for its nested containers.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652101/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
