containers / crun

A fast and lightweight fully featured OCI runtime and C library for running containers
GNU General Public License v2.0
3.09k stars 315 forks source link

Use /proc/self/attr/apparmor/exec for AppArmor profiles #1350

Closed Orochimarufan closed 1 year ago

Orochimarufan commented 1 year ago

src/libcrun/utils.c set_apparmor_profile() uses the legacy /proc/thread-self/attr/exec procfs interface for setting the AppArmor profile. This is brittle because it depends on the exact order of loaded LSMs and can break with as little as a change in kernel command line. It should probably try to use the new /proc/thread-self/attr/apparmor/exec interface instead.

Currently, any (rootful) containers will refuse to start with some LSM configurations:

# cat /sys/kernel/security/lsm
capability,landlock,lockdown,yama,bpf,apparmor
# podman run -ti --rm alpine
Error: OCI runtime error: crun: `/proc/thread-self/attr/exec`: OCI runtime error: unable to assign security attribute

The workaround is re-ordering the LSMs on the kernel commandline so AppArmor comes earlier

# cat /sys/kernel/security/lsm
capability,landlock,lockdown,yama,apparmor,bpf
# podman run --rm -ti alpine echo Hello
Hello

Note that set_selinux_label() may have a similar problem, but I'm not at all familiar with SELinux so I can't say for sure.

See also opencontainers/runc#2801

giuseppe commented 1 year ago

@Orochimarufan thanks for opening the issue.

nobody in the dev team is familiar with AppArmor, would it be possible for you to open a PR with a change you can test with the configuration your are using? I'll be glad to review it