apparmor: stack apparmor profiles if nnp and confined

In case crun is running under apparmor profile and no_new_privileges flag set for containers the only way apparmor allows a change of profile is when a profile is stacked on top of current profile to ensure no new permissions are gained Closes: containers#1385 Signed-off-by: 😎Mostafa Emami <mustafaemami@gmail.com>
idleroamer · Jan 15, 2024 · e276960 · e276960
1 parent 3b3061a
commit e276960
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -2812,7 +2812,7 @@ int
 libcrun_set_apparmor_profile (runtime_spec_schema_config_schema_process *proc, libcrun_error_t *err)
 {
   if (proc->apparmor_profile)
-    return set_apparmor_profile (proc->apparmor_profile, err);
+    return set_apparmor_profile (proc->apparmor_profile, proc->no_new_privileges, err);
   return 0;
 }
 

diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
@@ -830,8 +830,24 @@ libcrun_is_apparmor_enabled (libcrun_error_t *err)
   return apparmor_enabled;
 }
 
+static int 
+is_current_process_confined(libcrun_error_t *err)
+{
+  int fd = open("/proc/thread-self/attr/current", O_RDONLY|O_CLOEXEC);
+
+  if (fd != -1) {
+    char buf[256];
+    ssize_t bytesRead = read(fd, buf, sizeof(buf) - 1);
+    close(fd);
+    if (bytesRead != -1)
+      return (strcmp(buf, "unconfined") != 0 && buf != '\0');
+  }
+  crun_make_error (err, errno, "error reading file /proc/thread-self/attr/current");
+  return -1;
+}
+
 int
-set_apparmor_profile (const char *profile, libcrun_error_t *err)
+set_apparmor_profile (const char *profile, bool no_new_privileges, libcrun_error_t *err)
 {
   int ret;
 
@@ -841,8 +857,11 @@ set_apparmor_profile (const char *profile, libcrun_error_t *err)
   if (ret)
     {
       cleanup_free char *buf = NULL;
-
-      xasprintf (&buf, "exec %s", profile);
+      ret = is_current_process_confined(err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+      // if confined only way for apparmor to allow change of profile with NNP is with stacking
+      xasprintf (&buf, "%s %s", no_new_privileges && ret ? "stack": "exec", profile);
 
       ret = write_file_and_check_fs_type ("/proc/thread-self/attr/exec", buf, strlen (buf), PROC_SUPER_MAGIC, "procfs",
                                           err);

diff --git a/src/libcrun/utils.h b/src/libcrun/utils.h
@@ -264,7 +264,7 @@ int set_selinux_exec_label (const char *label, libcrun_error_t *err);
 
 int add_selinux_mount_label (char **ret, const char *data, const char *label, libcrun_error_t *err);
 
-int set_apparmor_profile (const char *profile, libcrun_error_t *err);
+int set_apparmor_profile (const char *profile, bool no_new_privileges, libcrun_error_t *err);
 
 int read_all_fd (int fd, const char *description, char **out, size_t *len, libcrun_error_t *err);