Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct the condition based on the previous commit as the current one allows any network on cloud to ping without adhering to any security protocols #45053

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Correct the condition based on the previous commit as the current one allows any network on cloud to ping without adhering to any security protocols #45053

wants to merge 1 commit into from
+2 −2

Conversation

vteratipally
Copy link

Correct the condition based on the previous commit as the current one allows any network on cloud to ping without adhering to any security protocols

Fixes: #44984

- What I did

Correct the condition to allow the ICMP packets only when the daemon is run under not private namespace. Looks like the change has been not carried properly.

- How I did it

Debug logs

- How to verify it

  1. Create apparmor policy for no network access
cat > /tmp/no_network <<EOF
#include <tunables/global>

profile no-network flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  network inet tcp,
  network inet udp,
  network inet icmp,

  deny network raw,
  deny network packet,
  file,
  mount,
}
EOF
  1. Load the profile in AppArmor /sbin/apparmor_parser --replace --write-cache /tmp/no_network
  2. Create a Dockerfile with Ubuntu 22.04 and ping capabilities
cat > Dockerfile <<EOF
FROM ubuntu:22.04
RUN apt-get update && apt install -y iputils-ping
EOF
  1. Create a docker image using docker build -t ubuntu-ping .
  2. Run a container with the policy docker run --rm -i --security-opt apparmor=no-network ubuntu-test:latest ping -c3 localhost

Results:

ping: socket: Permission denied

- Description for the changelog

Fix the issue related to to ping without adhering to any security profile from apparmor.

- A picture of a cute animal (not mandatory but encouraged)

@vteratipally
Copy link
Author

processes run with apparmor profile has c.HostConfig.UsernsMode.IsPrivate() will be true and in kernel namespace even with privileged or when run without user namespace.

@vteratipally
correct the condition based on the previous commit as the current one…
b7dc4de 
… allows any network on cloud to ping without adhering to any security protocols

Signed-off-by: Varsha Teratipally <teratipally@google.com>
thaJeztah
thaJeztah reviewed Feb 22, 2023
View reviewed changes
daemon/oci_linux.go
userNS := daemon.configStore.RemappedRoot != "" && c.HostConfig.UsernsMode.IsPrivate()
userNS := daemon.configStore.RemappedRoot != "" || c.HostConfig.UsernsMode.IsPrivate()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be effectively reverting #41030 ?

@neersighted
Copy link
Member

I'm not convinced this change is correct; let's characterize what is actually desired/changed on the linked issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah thaJeztah left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/security/apparmor status/2-code-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AppArmor policy to deny network is not working
3 participants
@vteratipally @neersighted @thaJeztah