]> git.ipfire.org Git - thirdparty/lxc.git/commit
projects / thirdparty / lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5232651) | patch
lsm: apparmor: allow to change mount propagation 4295/head
authorAlexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Fri, 31 Mar 2023 11:25:37 +0000 (13:25 +0200)
committerAlexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Fri, 31 Mar 2023 12:30:19 +0000 (14:30 +0200)
commit890de075941a8d6e8d0294480e82c72e6de51fc1
tree67a7d5326dddf437e071e12a0ab957ea872901c2tree
parent52326514c64b6622368475307d7a7a76c3ee3780commit | diff
lsm: apparmor: allow to change mount propagation

Long story behind this. Many years ago, Stéphane Graber
discovered an issue with apparmor mount rules.

Since
https://github.com/lxc/lxc/commit/7f2b13275daf68b173474900b1ce2c04105da33f
commit ("apparmor: Update mount states handling") it was prohibited
to change mount propagation flags, just because adding rules which
allow mount propagation user inside the container gets an ability
to mount everything [1].

Now with modern systemd versions this problem become more critical than
before. For instance, ArchLinux containers fail to start without
nesting apparmor profile enabled (because nesting profile effectively
just allow all mounts). Of course, that's a security issue.

We've also enabled sharing on the container rootfs:
https://github.com/lxc/lxc/pull/4229

Now for many workloads it's needed to change propagation flag to
private (see https://github.com/canonical/craft-parts/pull/400).

Issue:
$ lxc-start -F archlinux-test

systemd 253-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to Arch Linux!

bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
Failed to remount root directory as MS_SLAVE: Permission denied
(sd-gens) failed with exit status 1.
[!!!!!!] Failed to start up manager.
Exiting PID 1...

Workaround (unsafe):
$ lxc-start -s lxc.apparmor.allow_nesting=1 -s lxc.apparmor.profile=generated -F arch-test

John Johansen (Apparmor maintainer) and LXD team worked on fix [2].
It was merged to stable AppArmor 3.0 and 3.1 branches already.
There is no stable AppArmor version tag for that, but I think it will
be in the AppArmor version 3.0.10.

See also:
[1] https://bugs.launchpad.net/apparmor/+bug/1597017
[2] https://gitlab.com/apparmor/apparmor/-/merge_requests/333

Fixes: #4280
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
config/apparmor/abstractions/container-base diff | blob | blame | history
config/apparmor/abstractions/container-base.in diff | blob | blame | history
src/lxc/lsm/apparmor.c diff | blob | blame | history
Mirror of https://github.com/lxc/lxc.git