Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable ptrace in a container on apparmor below 2.9 #18393

Merged
merged 1 commit into from Dec 14, 2015
Merged

Enable ptrace in a container on apparmor below 2.9 #18393

merged 1 commit into from Dec 14, 2015

Conversation

qzio
Copy link
Contributor

@qzio qzio commented Dec 3, 2015

Ubuntu 14.04 LTS is on apparmor 2.8.95.
This line enables ps inside a container without causing
audit log entries on the host.

My use case: #7276 (comment)

@thaJeztah
Copy link
Member

ping @ewindisch @jfrazelle ptal

thanks @qzio!

@jessfraz
Copy link
Contributor

jessfraz commented Dec 3, 2015

If the ptrace macro exists on 2.8 then we should change the version check,
because as is, right now, this is changing the behavior of the default
profile so NOT LGTM

On Thu, Dec 3, 2015 at 6:52 AM, Sebastiaan van Stijn <
notifications@github.com> wrote:

ping @ewindisch https://github.com/ewindisch @jfrazelle
https://github.com/jfrazelle ptal

thanks @qzio https://github.com/qzio!


Reply to this email directly or view it on GitHub
#18393 (comment).

@jessfraz
Copy link
Contributor

jessfraz commented Dec 3, 2015

will do some testing re different versions

@qzio
Copy link
Contributor Author

qzio commented Dec 4, 2015

I have not been able to build-and-package locally to actually test this.

However this line works for me using the ubuntu/trusty64 vagrant base box, with docker installed from https://experimental.docker.com

@qzio
Copy link
Contributor Author

qzio commented Dec 4, 2015

For my use case (using ps inside the container to list that container's processes) the (trace,read) makes no difference.

I do not know enough about apparmor to have an opinion on (trace,read) be or not to be.

@qzio
Copy link
Contributor Author

qzio commented Dec 4, 2015

I did some more digging and I think this is where that line needs to be.

Adding the line to /etc/apparmor.d/docker is what I want to accomplish.

jessfraz
jessfraz reviewed Dec 4, 2015
View reviewed changes
daemon/execdriver/native/apparmor.go
@@ -60,12 +60,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,

# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read) peer=docker-default,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so the problem is this will still break distros like wheezy we need to change the version check to 2.8

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, older AppArmor versions can allow ptrace, but not granularly. That
is, you can allow ptrace, but cannot specify a peer or read/write/trace.

On Fri, Dec 4, 2015 at 12:00 PM, Jess Frazelle notifications@github.com
wrote:

In daemon/execdriver/native/apparmor.go
#18393 (comment):

@@ -60,12 +60,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/firmware/efi/efivars/* rwklx,
deny /sys/kernel/security/* rwklx,

  • suppress ptrace denials when using 'docker ps' or using 'ps' inside a container

  • ptrace (trace,read) peer=docker-default,

so the problem is this will still break distros like wheezy we need to
change the version check to 2.8


Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/18393/files#r46704053.

@qzio
Copy link
Contributor Author

qzio commented Dec 7, 2015

Why the tests fails are beyond my knowledge about apparmor, I don't know how the unloading is done and why this doesn't work.

For ref: The tests past previous when I accidentally pushed a commit with wrong number of {{end}} compared to number of {{if }}

For ref2: The test did not pass when I used one "outer" if that did {{if ge .MajorVersion 2}} and then 2 "inner" if's that did the {{if ge .MinorVersion 8}} and 9.

I've solved my particular problem on my installations by hacking the /etc/init/docker.conf script and adding this line in the post-start section.

Not sure how to fix the tests since even master failed last time I checked.

Enable ptrace in a container on apparmor below 2.9
6480feb 
Ubuntu 14.04 LTS is on apparmor 2.8.95.
This enables `ps` inside a container without causing
audit log entries on the host.

Signed-off-by: Joel Hansson <joel.hansson@ecraft.com>
@qzio
Copy link
Contributor Author

qzio commented Dec 8, 2015

An other rebase against master seemed to "fix" the tests.

@thaJeztah
Copy link
Member

ping @ewindisch @jfrazelle can you have another look?

@jessfraz
Copy link
Contributor

jessfraz commented Dec 8, 2015

LGTM now thanks

@jessfraz jessfraz self-assigned this Dec 8, 2015
jessfraz pushed a commit that referenced this pull request Dec 14, 2015
Merge pull request #18393 from qzio/apparmor/ptrace-ubuntu14
c38aa60 
Enable ptrace in a container on apparmor below 2.9
@jessfraz jessfraz merged commit c38aa60 into moby:master Dec 14, 2015
@qzio qzio mentioned this pull request Jan 7, 2016
Closed
@thaJeztah thaJeztah mentioned this pull request Jan 13, 2016
Closed
@chuyeow chuyeow mentioned this pull request Mar 9, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jessfraz jessfraz

Labels
status/2-code-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@qzio @thaJeztah @jessfraz @ewindisch @calavera @GordonTheTurtle