Ubuntu
lxc package

please restrict signal, ptrace and unix mediation to the container

Bug #1373555 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
lxc (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Right now the container policy uses bare rules for ptrace and signal. We should refine these rules to be container specific and add unix rules to do the same. Obviously, namespaces are intended to block these accesses in and of themselves, but this add an incremental improvement and security in depth in case something goes wrong there.

See original description
Tags: patch apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'll post a debdiff for this in a bit.

tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is the debdiff. It works with the testing as outlined in https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only (see the lxc section). This is not comprehensive so I am hoping an lxc maintainer can run this through its paces. Also, I made no changes to start-container cause I wasn't sure the benefit it would provide there. Feel free to apply the types of rules made to container-base to start-container. The debdiff updates rules a little, and tested that it dtrt when building on trusty.

description: updated
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks I'll do some testing. I suspect we'll need to allow access to cgmanager, but otherwise this looks good.

Changed in lxc (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Since you're not restricting dbus, cgmanager is actually unaffected, so this shouldn't restrict nested use at all.

Changed in lxc (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

AppArmor task added to adjust Breaks for lxc.

Changed in apparmor (Ubuntu):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

For posterity, the debdiff lacked the following:
  # Allow lxc-start to signal us
  signal (receive) peer=/usr/bin/lxc-start,

Serge is incorporating that into the patchset that is being submitted upstream.

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

lxc_1.1.0~alpha1-0ubuntu5.debdiff_v2 updated based on upstream feedback.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.1.0~alpha1-0ubuntu5

---------------
lxc (1.1.0~alpha1-0ubuntu5) utopic; urgency=medium

  * d/p/0003-apparmor-also-deny-silent-remount.patch: update to also patch
    container-base.in
  * d/p/0004-apparmor-signal-ptrace-unix-mediation.patch: refine signal and
    ptrace rules and add unix rules for container enforcement (LP: #1373555)
  * debian/rules:
    - don't delete the dbus, ptrace and signal lines, but instead comment them
      out. This is more consistent with the comment in the policy and lets
      people see what the policy would be
    - adjust for unix rules
    - adjust versioned depends
 -- Jamie Strandboge <email address hidden> Fri, 26 Sep 2014 10:59:21 -0500

Changed in lxc (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu6

---------------
apparmor (2.8.96~2652-0ubuntu6) utopic; urgency=medium

  * lp1169881.patch: add /usr/bin/gnome-gmail to ubuntu-email (LP: #1169881)
  * debian/control: update Breaks on lxc 1.1.0~alpha1-0ubuntu5~ (LP: #1373555)
 -- Jamie Strandboge <email address hidden> Thu, 25 Sep 2014 09:03:06 -0500

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.