From: Stéphane Graber <stgraber@ubuntu.com>
Date: Thu, 16 Jan 2014 21:27:51 +0000 (-0500)
Subject: apparmor: Add profiles
X-Git-Tag: lxc-1.0.0.beta3~94
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8da250dad4b11c4983031742a83fb8f358044fe0;p=thirdparty%2Flxc.git

apparmor: Add profiles

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/config/Makefile.am b/config/Makefile.am
index 02ba9cee6..f9ce6fb86 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -1 +1 @@
-SUBDIRS = etc init templates
+SUBDIRS = apparmor etc init templates
diff --git a/config/apparmor/Makefile.am b/config/apparmor/Makefile.am
new file mode 100644
index 000000000..801866db8
--- /dev/null
+++ b/config/apparmor/Makefile.am
@@ -0,0 +1,37 @@
+EXTRA_DIST = \
+	abstractions/container-base \
+	abstractions/start-container \
+	profiles/lxc-default \
+	profiles/lxc-default-with-mounting \
+	profiles/lxc-default-with-nesting \
+	lxc-containers \
+	usr.bin.lxc-start
+
+if ENABLE_APPARMOR
+install-apparmor:
+	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/
+	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
+	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
+	$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
+	$(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
+	$(INSTALL_DATA) usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/
+
+uninstall-apparmor:
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.bin.lxc-start
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base
+	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ || :
+	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ || :
+	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/ || :
+
+install-data-local: install-apparmor
+uninstall-local: uninstall-apparmor
+endif
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
new file mode 100644
index 000000000..9db94e782
--- /dev/null
+++ b/config/apparmor/abstractions/container-base
@@ -0,0 +1,50 @@
+  network,
+  capability,
+  file,
+  umount,
+  dbus,
+
+  # ignore DENIED message on / remount
+  deny mount options=(ro, remount) -> /,
+
+  # allow tmpfs mounts everywhere
+  mount fstype=tmpfs,
+
+  # allow mqueue mounts everywhere
+  mount fstype=mqueue,
+
+  # allow fuse mounts everywhere
+  mount fstype=fuse.*,
+
+  # allow bind mount of /lib/init/fstab for lxcguest
+  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+
+  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+  deny @{PROC}/sys/fs/** wklx,
+
+  # allow efivars to be mounted, writing to it will be blocked though
+  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+  # block some other dangerous paths
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+  deny @{PROC}/sys/kernel/*/** wklx,
+
+  # deny writes in /sys except for /sys/fs/cgroup, also allow
+  # fusectl, securityfs and debugfs to be mounted there (read-only)
+  mount fstype=fusectl -> /sys/fs/fuse/connections/,
+  mount fstype=securityfs -> /sys/kernel/security/,
+  mount fstype=debugfs -> /sys/kernel/debug/,
+  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+  mount fstype=proc -> /proc/,
+  mount fstype=sysfs -> /sys/,
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
new file mode 100644
index 000000000..56a8ec3f9
--- /dev/null
+++ b/config/apparmor/abstractions/start-container
@@ -0,0 +1,30 @@
+  network,
+  capability,
+  file,
+  dbus,
+
+  # currently blocked by apparmor bug
+  mount -> /usr/lib/*/lxc/{**,},
+  mount -> /usr/lib/lxc/{**,},
+  mount fstype=devpts -> /dev/pts/,
+  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+  mount fstype=debugfs,
+  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
+  mount -> /var/lib/lxc/{**,},
+
+  # required for some pre-mount hooks (like the new lxc-start-ephemeral)
+  mount fstype=overlayfs,
+  mount fstype=aufs,
+  mount fstype=ecryptfs,
+
+  # all umounts are under the original root's /mnt, but right now we
+  # can't allow those umounts after pivot_root.  So allow all umounts
+  # right now.  They'll be restricted for the container at least.
+  umount,
+  #umount /mnt/{**,},
+
+  pivot_root /usr/lib/*/lxc/,
+  pivot_root /usr/lib/lxc/root/,
+
+  change_profile -> lxc-*,
+  change_profile -> unconfined,
diff --git a/config/apparmor/lxc-containers b/config/apparmor/lxc-containers
new file mode 100644
index 000000000..0644cf2d3
--- /dev/null
+++ b/config/apparmor/lxc-containers
@@ -0,0 +1,7 @@
+# This file exists only to ensure that all per-container policies
+# listed under /etc/apparmor.d/lxc get loaded at boot.  Please do
+# not edit this file.
+
+#include <tunables/global>
+
+#include <lxc>
diff --git a/config/apparmor/profiles/lxc-default b/config/apparmor/profiles/lxc-default
new file mode 100644
index 000000000..9a96a2e50
--- /dev/null
+++ b/config/apparmor/profiles/lxc-default
@@ -0,0 +1,11 @@
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+
+  # the container may never be allowed to mount devpts.  If it does, it
+  # will remount the host's devpts.  We could allow it to do it with
+  # the newinstance option (but, right now, we don't).
+  deny mount fstype=devpts,
+}
diff --git a/config/apparmor/profiles/lxc-default-debootstrap b/config/apparmor/profiles/lxc-default-debootstrap
new file mode 100644
index 000000000..d5a5ac015
--- /dev/null
+++ b/config/apparmor/profiles/lxc-default-debootstrap
@@ -0,0 +1,18 @@
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-builder flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+
+  # pbuilder
+  mount options=(rw,bind) -> /var/cache/pbuilder/**,
+  mount fstype=devpts -> /var/cache/pbuilder/**,
+  mount fstype=proc -> /var/cache/pbuilder/**,
+  mount fstype=sysfs -> /var/cache/pbuilder/**,
+
+  # sbuild
+  mount options=(rw,bind) -> /var/lib/schroot/**,
+  mount fstype=devpts -> /var/lib/schroot/**,
+  mount fstype=proc -> /var/lib/schroot/**,
+  mount fstype=sysfs -> /var/lib/schroot/**,
+}
diff --git a/config/apparmor/profiles/lxc-default-with-mounting b/config/apparmor/profiles/lxc-default-with-mounting
new file mode 100644
index 000000000..8a9a6b717
--- /dev/null
+++ b/config/apparmor/profiles/lxc-default-with-mounting
@@ -0,0 +1,14 @@
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+
+# allow standard blockdevtypes.
+# The concern here is in-kernel superblock parsers bringing down the
+# host with bad data.  However, we continue to disallow proc, sys, securityfs,
+# etc to nonstandard locations.
+  mount fstype=ext*,
+  mount fstype=xfs,
+  mount fstype=btrfs,
+}
diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
new file mode 100644
index 000000000..245f2f8fc
--- /dev/null
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -0,0 +1,13 @@
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+  #include <abstractions/lxc/start-container>
+
+  mount fstype=cgroup -> /sys/fs/cgroup/**,
+
+  mount fstype=proc -> /var/cache/lxc/**,
+  mount fstype=sysfs -> /var/cache/lxc/**,
+  mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> /var/cache/lxc/**/run/shm/,
+}
diff --git a/config/apparmor/usr.bin.lxc-start b/config/apparmor/usr.bin.lxc-start
new file mode 100644
index 000000000..2f87cdd12
--- /dev/null
+++ b/config/apparmor/usr.bin.lxc-start
@@ -0,0 +1,5 @@
+#include <tunables/global>
+
+/usr/bin/lxc-start flags=(attach_disconnected) {
+  #include <abstractions/lxc/start-container>
+}
diff --git a/configure.ac b/configure.ac
index 6b932994b..090ee16b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -547,6 +547,7 @@ AC_CONFIG_FILES([
 	lxc.spec
 
 	config/Makefile
+	config/apparmor/Makefile
 	config/init/Makefile
 	config/init/sysvinit/Makefile
 	config/init/systemd/Makefile