Container: Allow apparmor nosymfollow mount flag in more cases #13820
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It turns out, that a ruleset:
{{- if .feature_mount_nosymfollow }}
# see canonical#12698
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /[^spd]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /d[^e]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /de[^v]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.[^l]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.l[^x]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lx[^c]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lxc?*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/[^.]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev?*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /p[^r]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pr[^o]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pro[^c]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /proc?*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /s[^y]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sy[^s]*{,/**},
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sys?*{,/**},
{{- end }}
is not enough to allow nosymfollow. We still getting AppArmor denials like this:
[110841.647871] audit: type=1400 audit(1721910063.197:1611): apparmor="DENIED" operation="mount"
class="mount" info="failed flags match" error=-13 profile="lxd-secure-oriole_</var/snap/lxd/common/lxd>" name="/dev/shm/"
pid=712867 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind"
First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by:
https://lore.kernel.org/all/[email protected]/
Secondly, it looks like these rules in the form of
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path,
just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones).
During my local experiments, I found that working variant of it might be:
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) -> /some/path,
or wider:
mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow),
Let's just add a wider variant of the rule in addition to what we already
have for unprivileged containers. But keep in mind that something is wrong with
these rules in their more restrictive form (with path specifier). This is a matter
of a futher investigation, because it's important for privileged containers case.
See also:
canonical#12698
Closes canonical#12698
May close canonical#13810
Signed-off-by: Alexander Mikhalitsyn <[email protected]>
4 tasks
Does this PR relax the rules for privileged containers also? |
|
@mihalicyn does this fix Oracular containers? |
No-no, only for unprivileged case for now, because we already have analogical rules. For privileged case it's a matter of further investigation. |
yes. It fixes Oracular unprivileged containers. |
|
Awesome thanks! |
tomponline
changed the title
tomponline
added a commit
to tomponline/lxd-pkg-snap
that referenced
this pull request
Aug 1, 2024
canonical/lxd#13681 canonical/lxd#13820 Signed-off-by: Thomas Parrott <[email protected]>
tomponline
added a commit
to tomponline/lxd-pkg-snap
that referenced
this pull request
Aug 20, 2024
- Fix for Oracular unprivileged containers from canonical/lxd#13820 - Fix snapshot importing from canonical/lxd#13899 - Fix Dell Powerflex migrations from canonical/lxd#13934 Signed-off-by: Thomas Parrott <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It turns out, that a ruleset:
is not enough to allow nosymfollow. We still getting AppArmor denials like this:
First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by: https://lore.kernel.org/all/[email protected]/
Secondly, it looks like these rules in the form of mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path,
just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones).
During my local experiments, I found that working variant of it might be: mount
or wider:
Let's just add a wider variant of the rule in addition to what we already have for unprivileged containers. But keep in mind that something is wrong with these rules in their more restrictive form (with path specifier). This is a matter of a futher investigation, because it's important for privileged containers case.
See also:
#12698
Closes #12698
May close #13810