LXC, Juju and AppArmor (was: Re: Juju and AppArmor)
Sidnei da Silva
sidnei.da.silva at canonical.com
Sat Aug 10 09:37:30 UTC 2013
Hi Jamie,
We're starting to build up apparmor profiles for some of our juju-deployed
services.
Turns out that when deploying those into lxc containers we get an error
'trying to load profile while confined' or something along these lines.
Is there a way to make those apparmor profiles loadable even within lxc? My
understanding is that the lxc containers themselves are apparmor-confined,
which might be good enough to not escape into the host, but it would be
awesome to allow profiles to be applied within the container as well.
On Thu, Sep 29, 2011 at 7:42 PM, Jamie Strandboge <jamie at canonical.com>wrote:
> Hi!
>
> Juju offers a wonderful opportunity to combine robust and easy
> installations with the security benefits of AppArmor[1]. A big reason
> why policy makers for any Mandatory Access Control (MAC) system like
> AppArmor are unable to shipped usable default policy is because people
> are free to adjust paths for their applications in such a way that it
> makes it difficult to have a general-purpose policy that is usable yet
> still offers security benefits.
>
> Juju solves this because it gives us the opportunity to do what we never
> could with Debian packaging alone-- have predictable locations for
> files. The charm makers have deep insight into how the application works
> and where it is going to be installed and they can leverage this insight
> to create useful AppArmor policy for their applications. For example,
> someone uses the wordpress charm, and Juju does magic and out pops an
> apache installation with mod-apparmor enabled along with a changehat
> AppArmor policy for wordpress. Wordpress then runs in a confined
> environment that is analogous to a sandbox in such a way that attacks
> against wordpress are limited to only that which is allowed by the
> policy.
>
> For those unfamiliar with AppArmor[1], it is a very flexible technology
> that can significantly improve the security of applications, has a
> pretty low barrier to entry, works particularly well with isolating web
> applications, and can work with various other technologies. A lot of
> information can be found in the upstream documentation[2][3].
>
> If people are interested, there is plenty of example policy for daemons
> and other applications in Ubuntu[4]. To confine a web application,
> install the libapache2-mod-apparmor package and read the top
> of /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 and then you can
> install the phpsysinfo package for an example policy that works with
> mod-apparmor.
>
> While we can't really drive this, the Ubuntu Security team would be
> happy to help people in any way we can. Feel free to discuss on the
> ubuntu-hardened at lists.ubuntu.com mailing list or join us in
> #ubuntu-security on Freenode.
>
> Thanks and happy policy-making! :)
>
> [1]https://wiki.ubuntu.com/AppArmor
> [2]http://wiki.apparmor.net/index.php/Documentation
> [3]http://wiki.apparmor.net/index.php/Documentation#How-to_and_Tutorials
> [4]https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
>
> --
> Jamie Strandboge | http://www.canonical.com
>
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
--
Sidnei
Make the most of Ubuntu with Ubuntu One
http://one.ubuntu.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20130810/13427ab6/attachment.html>
More information about the Juju
mailing list