host Apparmor rules are applied to guests in spite of guests loading new rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Medium
|
John Johansen |
Bug Description
I had an old stale apparmor profile from mysql that did not allow writing to /run/mysql/
[48692.230635] type=1400 audit(131889399
The rules inside the guest for apparmor were permissive of this, but the host rules were not.
It seems to me that apparmor should be encapsulated at the same level as LXC containers, otherwise guests will not be able to define their own rules for their own filesystems.
TEST CASE:
create an apparmor rule in /etc/apparmor.
Contents:
#include <tunables/global>
/usr/bin/faketouch {
#include <abstractions/base>
/lib/* r,
/var/run/* w,
}
sudo cp /usr/bin/touch /usr/bin/faketouch
Run /lib/init/
Create an oneiric container
lxc-create -t ubuntu -n test-apparmor -- -r oneiric
Login to the container and try to touch /run/foo
sudo /usr/bin/faketouch /run/foo
should be denied..
Then create /etc/apparmor.
#include <tunables/global>
/usr/bin/faketouch {
#include <abstractions/base>
/lib/* r,
/run/* w,
}
inside the container run
sudo /lib/init/
This should enable it, but
sudo /usr/bin/faketouch /run/foo
Will fail and on the host kernel a DENIED message will be shown.
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: lxc 0.7.5-0ubuntu8
ProcVersionSign
Uname: Linux 3.0.0-12-generic x86_64
NonfreeKernelMo
ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Mon Oct 17 16:30:25 2011
InstallationMedia: Xubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101008.1)
ProcEnviron:
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: lxc
UpgradeStatus: Upgraded to oneiric on 2011-07-14 (95 days ago)
mtime.conffile.
Changed in lxc (Ubuntu): | |
status: | New → Confirmed |
Apparmor is MAC - in my opinion it's not valid to have a container guest
specify its own policy.
However, the container should be entering a domain which protects the
host from the container, and in which executing any programs do not
cause more domain transitions (unless specified by the container's
policy).
This is something I want to discuss at UDS and implement during the
precise cycle.