-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apparmor mount propagation #4295
Conversation
Testsuite passed |
f933d4b
to
0e2868b
Compare
Testsuite passed |
We need to be careful with merging this, because this change will cause wider privileges on the old AppArmor versions... Only privileged LXC containers are affected because their security model relies on the AppArmor heavily. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Over 4 or 5 years later.
Quoting from the commit message:
Now with modern systemd versions this problem become more critical than
before. For instance, ArchLinux containers fail to start without
nesting apparmor profile enabled (because nesting profile effectively
just allow all mounts). Of course, that's a security issue.
This claims that this becomes more critical but doesn't explain why e.g., Archlinux containers failing to start are caused by this. I'd like to have that. What exactly is failing suddenly?
Should we wait for a release and check the version via |
That's a good point. I thought about that in the context of LXD. Because in LXD we have a template for AppArmor profile (https://github.com/lxc/lxd/blob/bb09d3a6c071ac8c38861e3fc0595b7a5550bf09/lxd/apparmor/instance_lxc.go#L7), it's easy to check AppArmor version in runtime and generate an appropriate AppArmor profile for that. |
0e2868b
to
12a662b
Compare
Fixed. |
Long story behind this. Many years ago, Stéphane Graber discovered an issue with apparmor mount rules. Since lxc@7f2b132 commit ("apparmor: Update mount states handling") it was prohibited to change mount propagation flags, just because adding rules which allow mount propagation user inside the container gets an ability to mount everything [1]. Now with modern systemd versions this problem become more critical than before. For instance, ArchLinux containers fail to start without nesting apparmor profile enabled (because nesting profile effectively just allow all mounts). Of course, that's a security issue. We've also enabled sharing on the container rootfs: lxc#4229 Now for many workloads it's needed to change propagation flag to private (see canonical/craft-parts#400). Issue: $ lxc-start -F archlinux-test systemd 253-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified) Detected virtualization lxc. Detected architecture x86-64. Welcome to Arch Linux! bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported Failed to remount root directory as MS_SLAVE: Permission denied (sd-gens) failed with exit status 1. [!!!!!!] Failed to start up manager. Exiting PID 1... Workaround (unsafe): $ lxc-start -s lxc.apparmor.allow_nesting=1 -s lxc.apparmor.profile=generated -F arch-test John Johansen (Apparmor maintainer) and LXD team worked on fix [2]. It was merged to stable AppArmor 3.0 and 3.1 branches already. There is no stable AppArmor version tag for that, but I think it will be in the AppArmor version 3.0.10. See also: [1] https://bugs.launchpad.net/apparmor/+bug/1597017 [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/333 Fixes: lxc#4280 Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Testsuite passed |
12a662b
to
890de07
Compare
Testsuite passed |
Funny:
And that is why I asked. :) Because AppArmor is the proximal cause but not the distal cause. The distal cause is that I made the rootfs |
agree! |
That's good for the run-time generated profiles. Is there a sort of #ifdef we can put in config/apparmor/abstractions/container-base{,.in} to gate policy on the apparmor version? |
As far as I know AppArmor doesn't support that. The only thing that we can do for non-runtime-generated profile is to put some warning to container logs if the AppArmor version is affected and privileged container is used. |
Can we hold off merging this until we get a CVE filed against AppArmor? I'd like to have some assurance that distros that care about security have the parser bug resolved before anyone gets LXC with the new rule enabled. |
Sure, friends, I'm not insisting on merging this right now. But just want to be prepared and discuss everything in advance. (we can convert this to a "draft" PR) |
@stgraber can also just set the Blocked label. |
I have to say that I'm puzzled why that never happened before. I mean that bug is older than 4 years and @Blub has even proposed patches to fix this before. :) |
Looks like I have no permission to convert PR to a draft. |
Long story behind this. Many years ago, Stéphane Graber
discovered an issue with apparmor mount rules.
Since
7f2b132
commit ("apparmor: Update mount states handling") it was prohibited
to change mount propagation flags, just because adding rules which
allow mount propagation user inside the container gets an ability
to mount everything [1].
Now with modern systemd versions this problem become more critical than
before. For instance, ArchLinux containers fail to start without
nesting apparmor profile enabled (because nesting profile effectively
just allow all mounts). Of course, that's a security issue.
We've also enabled sharing on the container rootfs:
#4229
Now for many workloads it's needed to change propagation flag to
private (see canonical/craft-parts#400).
Issue:
$ lxc-start -F archlinux-test
systemd 253-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to Arch Linux!
bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
Failed to remount root directory as MS_SLAVE: Permission denied
(sd-gens) failed with exit status 1.
[!!!!!!] Failed to start up manager.
Exiting PID 1...
Workaround (unsafe):
$ lxc-start -s lxc.apparmor.allow_nesting=1 -s lxc.apparmor.profile=generated -F arch-test
John Johansen (Apparmor maintainer) and LXD team worked on fix [2].
It was merged to stable AppArmor 3.0 and 3.1 branches already.
There is no stable AppArmor version tag for that, but I think it will
be in the AppArmor version 3.0.10.
See also:
[1] https://bugs.launchpad.net/apparmor/+bug/1597017
[2] https://gitlab.com/apparmor/apparmor/-/merge_requests/333
Fixes: #4280