From d9bae9c84b21642876107f32ba6c51ff3350c372 Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Mon, 29 Sep 2014 12:40:52 -0400 Subject: [PATCH] apparmor: restrict signal and ptrace for processes MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Restrict signal and ptrace for processes running under the container profile. Rules based on AppArmor base abstraction. Add unix rules for processes running under the container profile. Signed-off-by: Jamie Strandboge Acked-by: Serge Hallyn Acked-by: Stéphane Graber --- config/apparmor/abstractions/container-base | 43 +++++++++++++++++-- .../apparmor/abstractions/container-base.in | 42 ++++++++++++++++-- 2 files changed, 77 insertions(+), 8 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index d783c955b..2d5fd7aa0 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -3,14 +3,49 @@ file, umount, - # The following 3 entries are only supported by recent apparmor versions. - # Comment them if the apparmor parser doesn't recognize them. + # dbus, signal, ptrace and unix are only supported by recent apparmor + # versions. Comment them if the apparmor parser doesn't recognize them. + + # This also needs additional rules to reach outside of the container via + # DBus, so just let all of DBus within the container. dbus, - signal, - ptrace, + + # Allow us to receive signals from anywhere. Note: if per-container profiles + # are supported, for container isolation this should be changed to something + # like: + # signal (receive) peer=unconfined, + # signal (receive) peer=/usr/bin/lxc-start, + signal (receive), + + # Allow us to send signals to ourselves + signal peer=@{profile_name}, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace (readby) ... + ptrace (readby), + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace (tracedby) ... + ptrace (tracedby), + + # Allow us to ptrace ourselves + ptrace peer=@{profile_name}, + + # Allow receive via unix sockets from anywhere. Note: if per-container + # profiles are supported, for container isolation this should be changed to + # something like: + # unix (receive) peer=(label=unconfined), + unix (receive), + + # Allow all unix in the container + unix peer=(label=@{profile_name}), # ignore DENIED message on / remount deny mount options=(ro, remount) -> /, + deny mount options=(ro, remount, silent) -> /, # allow tmpfs mounts everywhere mount fstype=tmpfs, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 096d35bfc..20657353b 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -3,11 +3,45 @@ file, umount, - # The following 3 entries are only supported by recent apparmor versions. - # Comment them if the apparmor parser doesn't recognize them. + # dbus, signal, ptrace and unix are only supported by recent apparmor + # versions. Comment them if the apparmor parser doesn't recognize them. + + # This also needs additional rules to reach outside of the container via + # DBus, so just let all of DBus within the container. dbus, - signal, - ptrace, + + # Allow us to receive signals from anywhere. Note: if per-container profiles + # are supported, for container isolation this should be changed to something + # like: + # signal (receive) peer=unconfined, + # signal (receive) peer=/usr/bin/lxc-start, + signal (receive), + + # Allow us to send signals to ourselves + signal peer=@{profile_name}, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace (readby) ... + ptrace (readby), + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace (tracedby) ... + ptrace (tracedby), + + # Allow us to ptrace ourselves + ptrace peer=@{profile_name}, + + # Allow receive via unix sockets from anywhere. Note: if per-container + # profiles are supported, for container isolation this should be changed to + # something like: + # unix (receive) peer=(label=unconfined), + unix (receive), + + # Allow all unix in the container + unix peer=(label=@{profile_name}), # ignore DENIED message on / remount deny mount options=(ro, remount) -> /, -- 2.47.2