[apparmor] LXC + AppArmor vs. upcoming systemd v240

[John Johansen]

On 10/26/18 8:26 AM, intrigeri wrote:
> Hi,
> 
> it's been brought to my attention [1] that the systemd master branch,
> that should become v240 soonish, includes changes to its namespacing
> behavior that may break a great number of services when run in a LXC
> container with AppArmor enabled.
> 
>   [1] https://bugs.debian.org/911806
> 
> This has been discussed and worked on quite a bit in systemd upstream
> in the last few months but AFAICT the focus has been on making the
> systemd test suite pass inside containers, e.g. by skipping specific
> tests when the privileges systemd needs to to set up its namespacing
> are not available. Christian Brauner has been very helpful there.
> 
> My concern is that we may be missing another part of the problem, i.e.
> if/how these changes will break real-world use cases outside of the
> "run some CI jobs in LXC" context; skipping test cases won't help
> there. I did not test this myself, but my understanding is that the
> AppArmor policy we ship for LXC in Debian (the pristine 2.0.9 upstream
> one) prevents systemd from setting up its namespacing inside a LXC
> container, which used to be silently ignored but is now a fatal error.
> If my hunch is correct, then this will break LXC containers that run
> systemd v240+ in any distro that enables a similar AppArmor policy.
> 
> I don't use LXC myself, I know very little about Linux namespaces and
> their interaction with AppArmor in a LXC context, so I'm not in
> a position to do much about this. If the issue I'm wary of actually
> exists and is not addressed in time for the Debian Buster freeze, the
> best I will be able to do is to recommend the Debian LXC maintainers
> to turn AppArmor confinement of containers off by default.
> 
> So here is a call for help to anyone who cares about running systemd
> in LXC containers confined by AppArmor and has the skills to
> investigate this further :)  Thanks in advance!
> 
> For those who want to dive deeper, these should be good starting
> points:

I will start poking at this next week. There should be a few things
we can do here. Ubuntu uses LXD, apparmor, and systemd together.

LXD has the ability to setup apparmor policy namespaces, so that
the container can have its own policy separate from the system
policy. My guess from just scanning the bug is that system policy
transitions are being applied to the container.

Basically the system policy namespace is being applied directly
to the container, so unconfined policy attachments are happening
against the container as if it were part of the system mount
namespace.

We have 2 options from here.
1. Transition the container entirely to a new policy namespace.

System policy won't be applied at all.

2. Use LXDs stacking support.
LXD confines the container with a very loose apparmor profile.
And it sets up a policy namespace for the container, stacking
the container policy with the system policy.

There are still issues around apparmor and system namespaces
which require using attach_disconnected on the system profile
for LXD, but its not generally a blocker.

There is demo of apparmor stacking policy with LXD from
the opensuse summit.

slide deck: https://events.opensuse.org/conference/oSC18/program/proposal/1933
video: https://youtu.be/ofeCpN99FU8


> 
>   https://github.com/systemd/systemd/issues/10166
>   https://github.com/systemd/systemd/issues/9700
>   https://github.com/systemd/systemd/issues/10011
>   https://github.com/systemd/systemd/pull/10012
> 
> Cheers,
>