[Bug 876968] [NEW] host Apparmor rules are applied to guests in spite of guests loading new rules

Mon, 17 Oct 2011 16:55:45 -0700 

Public bug reported:

I had an old stale apparmor profile from mysql that did not allow
writing to /run/mysql/mysqld.sock on my 11.10 host system.  Upon trying
to install and run mysqld in an oneiric container, it was unable to
start because apparmor was denying it access:


[48692.230635] type=1400 audit(1318893995.329:62): apparmor="DENIED" 
operation="mknod" parent=9502 profile="/usr/sbin/mysqld" 
name="/run/mysqld/mysqld.sock" pid=14293 comm="mysqld" requested_mask="c" 
denied_mask="c" fsuid=103 ouid=103

The rules inside the guest for apparmor were permissive of this, but the
host rules were not.

It seems to me that apparmor should be encapsulated at the same level as
LXC containers, otherwise guests will not be able to define their own
rules for their own filesystems.

TEST CASE:

create an apparmor rule in /etc/apparmor.d/usr.bin.faketouch

Contents:
#include <tunables/global>

/usr/bin/faketouch {
    #include <abstractions/base>
    /lib/* r,
    /var/run/* w,
}


sudo cp /usr/bin/touch /usr/bin/faketouch

Run /lib/init/apparmor-profile-load usr.bin.faketouch

Create an oneiric container

lxc-create -t ubuntu -n test-apparmor -- -r oneiric

Login to the container and try to touch /run/foo

sudo /usr/bin/faketouch /run/foo

should be denied..

Then create /etc/apparmor.d/usr.bin.faketouch

#include <tunables/global>

/usr/bin/faketouch {
    #include <abstractions/base>
    /lib/* r,
    /run/* w,
}


inside the container run

sudo /lib/init/apparmor-profile-load usr.bin.faketouch

This should enable it, but

sudo /usr/bin/faketouch /run/foo

Will fail and on the host kernel a DENIED message will be shown.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: lxc 0.7.5-0ubuntu8
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
NonfreeKernelModules: nvidia wl
ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Mon Oct 17 16:30:25 2011
InstallationMedia: Xubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101008.1)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: lxc
UpgradeStatus: Upgraded to oneiric on 2011-07-14 (95 days ago)
mtime.conffile..etc.default.lxc: 2011-10-12T10:35:05.438801

** Affects: lxc (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug oneiric running-unity

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/876968

Title:
  host Apparmor rules are applied to guests in spite of guests loading
  new rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/876968/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Reply via email to