[apparmor] Regarding using apparmor to harden container configuration

Seth Arnold seth.arnold at canonical.com
Wed Nov 4 20:45:21 UTC 2020 

On Wed, Nov 04, 2020 at 11:31:54AM -0500, swarna latha wrote:
> 1. My process will be using a set of libraries and these libraries might be
> writing to some files in the rootfs or need some capabs. I dont see this
> files/capabs in my apparmor logs. Is this expected behaviour ?

Hello Swarna, you'll need to give a lot more information for useful
feedback. What kernel are you using? What container system are you using?
How are you loading the profiles? What profiles are you loading? Can you
see the loading messages in the logs? Have you confirmed with simple test
programs that AppArmor is working at all in your environment?

> 2. Is there any limitation for apparmor to monitor applications running in
> container or is it the same as an application running in the host ?

There's some subtlety to working with AppArmor in containers, yes; for
example, the chromium sandbox uses unprivileged user namespaces and then
proceeds to use capabilities 'within' that new user namespace. These
aren't "real" capabilities from the perspective of the outside world, they
shouldn't grant undue privileges to do things outside the container,
but within the container they should kind of work.

Here's some examples:

root at u20:/# mkdir /tmp/foo ; chmod 000 /tmp/foo
root at u20:/# echo "include <tunables/global> profile test { include <abstractions/base> /usr/bin/* rmix, /etc/** r, }" | apparmor_parser --replace
root at u20:/# aa-exec -p test cat /etc/shadow
root:*:18478:0:99999:7:::
[...]
root at u20:/# aa-exec -p test cat /root/.bashrc
cat: /root/.bashrc: Permission denied
root at u20:/# aa-exec -p test ls -l /tmp/foo
ls: cannot open directory '/tmp/foo': Permission denied

Within the container:
root at u20:/# ps auxwZ | grep sleep
test (enforce)                  root        1348  0.0  0.0   7228   460 pts/0    S    20:39   0:00 sleep 100
unconfined                      root        1353  0.0  0.0   8160   576 pts/0    S+   20:41   0:00 grep --color=auto sleep

Outside the container:
sarnold at millbarge:~$ ps auxwZ | grep sleep
lxd-u20_</var/snap/lxd/common/lxd>//&:lxd-u20_<var-snap-lxd-common-lxd>:test (enforce) 1000000 410011 0.0  0.0 7228 460 pts/0 S 20:39   0:00 sleep 100
unconfined                      sarnold   410547  0.0  0.0   6772   568 pts/2    S+   20:40   0:00 grep --color=auto sleep


And AppArmor has logged these events:

sarnold at millbarge:~$ grep -e 'DENIED.*u20' -e 'operation="profile_load"' /var/log/audit/audit.log | tail -4
type=AVC msg=audit(1604521212.527:644468): apparmor="STATUS" operation="profile_load" label="lxd-u20_</var/snap/lxd/common/lxd>//&:lxd-u20_<var-snap-lxd-common-lxd>:unconfined" name="test" pid=398872 comm="apparmor_parser"
type=AVC msg=audit(1604521274.330:644469): apparmor="DENIED" operation="open" namespace="root//lxd-u20_<var-snap-lxd-common-lxd>" profile="test" name="/root/.bashrc" pid=399475 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
type=AVC msg=audit(1604521708.134:644474): apparmor="DENIED" operation="capable" namespace="root//lxd-u20_<var-snap-lxd-common-lxd>" profile="test" pid=403302 comm="ls" capability=2  capname="dac_read_search"
type=AVC msg=audit(1604521708.134:644474): apparmor="DENIED" operation="capable" namespace="root//lxd-u20_<var-snap-lxd-common-lxd>" profile="test" pid=403302 comm="ls" capability=1  capname="dac_override"

sarnold at millbarge:~$ uname -a
Linux millbarge 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20201104/7b46cc1c/attachment.sig>

More information about the AppArmor mailing list