From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Tue, 1 Apr 2014 23:03:07 +0000 (+0200)
Subject: apparmor: deny writes to most of /proc/sys (v2)
X-Git-Tag: lxc-1.1.0.alpha1~173
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94a77f3fd8be2fb87f7d1465521fac3ec4b7e6b5;p=thirdparty%2Flxc.git

apparmor: deny writes to most of /proc/sys (v2)

Allow writes to kernel.shm*, net.*, kernel/domainname and
kernel/hostname,

Also fix a bug in the lxc-generate-aa-rules.py script in a
path which wasn't being exercised before, which returned a
path element rather than its child.

Changelog (v2): remove trailing / from block path

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index d094aab7b..6a44e43e9 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -44,10 +44,38 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
 
   # generated by: lxc-generate-aa-rules.py container-rules.base
-  deny /proc/sys/kernel/[^s]*{,/**} wklx,
+  deny /proc/sys/[^kn]*{,/**} wklx,
+  deny /proc/sys/k[^e]*{,/**} wklx,
+  deny /proc/sys/ke[^r]*{,/**} wklx,
+  deny /proc/sys/ker[^n]*{,/**} wklx,
+  deny /proc/sys/kern[^e]*{,/**} wklx,
+  deny /proc/sys/kerne[^l]*{,/**} wklx,
+  deny /proc/sys/kernel/[^shd]*{,/**} wklx,
+  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+  deny /proc/sys/kernel/domainname?*{,/**} wklx,
+  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+  deny /proc/sys/kernel/hostname?*{,/**} wklx,
   deny /proc/sys/kernel/s[^h]*{,/**} wklx,
   deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
   deny /proc/sys/kernel/shm*/** wklx,
+  deny /proc/sys/kernel?*{,/**} wklx,
+  deny /proc/sys/n[^e]*{,/**} wklx,
+  deny /proc/sys/ne[^t]*{,/**} wklx,
+  deny /proc/sys/net?*{,/**} wklx,
   deny /sys/[^fdc]*{,/**} wklx,
   deny /sys/c[^l]*{,/**} wklx,
   deny /sys/cl[^a]*{,/**} wklx,
diff --git a/config/apparmor/container-rules b/config/apparmor/container-rules
index 47dd4c27c..2c8c0b494 100644
--- a/config/apparmor/container-rules
+++ b/config/apparmor/container-rules
@@ -1,8 +1,36 @@
   # generated by: lxc-generate-aa-rules.py container-rules.base
-  deny /proc/sys/kernel/[^s]*{,/**} wklx,
+  deny /proc/sys/[^kn]*{,/**} wklx,
+  deny /proc/sys/k[^e]*{,/**} wklx,
+  deny /proc/sys/ke[^r]*{,/**} wklx,
+  deny /proc/sys/ker[^n]*{,/**} wklx,
+  deny /proc/sys/kern[^e]*{,/**} wklx,
+  deny /proc/sys/kerne[^l]*{,/**} wklx,
+  deny /proc/sys/kernel/[^shd]*{,/**} wklx,
+  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+  deny /proc/sys/kernel/domainname?*{,/**} wklx,
+  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+  deny /proc/sys/kernel/hostname?*{,/**} wklx,
   deny /proc/sys/kernel/s[^h]*{,/**} wklx,
   deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
   deny /proc/sys/kernel/shm*/** wklx,
+  deny /proc/sys/kernel?*{,/**} wklx,
+  deny /proc/sys/n[^e]*{,/**} wklx,
+  deny /proc/sys/ne[^t]*{,/**} wklx,
+  deny /proc/sys/net?*{,/**} wklx,
   deny /sys/[^fdc]*{,/**} wklx,
   deny /sys/c[^l]*{,/**} wklx,
   deny /sys/cl[^a]*{,/**} wklx,
diff --git a/config/apparmor/container-rules.base b/config/apparmor/container-rules.base
index e16d874d6..615f01519 100644
--- a/config/apparmor/container-rules.base
+++ b/config/apparmor/container-rules.base
@@ -6,5 +6,8 @@ block /sys
 allow /sys/fs/cgroup/**
 allow /sys/devices/virtual/net/**
 allow /sys/class/net/**
-block /proc/sys/kernel
+block /proc/sys
 allow /proc/sys/kernel/shm*
+allow /proc/sys/kernel/hostname
+allow /proc/sys/kernel/domainname
+allow /proc/sys/net/**
diff --git a/config/apparmor/lxc-generate-aa-rules.py b/config/apparmor/lxc-generate-aa-rules.py
index 34518cf73..683f5fc6e 100755
--- a/config/apparmor/lxc-generate-aa-rules.py
+++ b/config/apparmor/lxc-generate-aa-rules.py
@@ -25,11 +25,14 @@ def add_block(path):
             return
     blocks.append({'path': path.strip(), 'children': []})
 
-
+# @prev is an array of dicts which containing 'path' and
+# 'children'.  @path is a string.  We are looking for an entry
+# in @prev which contains @path, and will return its
+# children array.
 def child_get(prev, path):
     for p in prev:
         if p['path'] == path:
-            return p
+            return p['children']
     return None
 
 
@@ -40,6 +43,7 @@ def add_allow(path):
         l = len(b['path'])
         if len(path) <= l:
             continue
+        # TODO - should we find the longest match?
         if path[0:l] == b['path']:
             found = b
             break