search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.86k stars 2.42k forks source link

Apparmor on host is active in container despite use of --security-opt apparmor=unconfined #24142

Open leaf-node opened 1 month ago

leaf-node commented 1 month ago

Issue Description

Similar to #8575, Apparmor from the host is active inside of containers despite use of --security-opt apparmor=unconfined. I am running OpenSUSE Leap on an x86_64 machine.

Steps to reproduce the issue

Steps to reproduce the issue

  1. Run the following script on OpenSUSE Tumbleweed:
podman pod create -n zabbix -p 10051:8083/tcp

podman run -it -d --pod zabbix --name zabbix \
    -e DB_SERVER_HOST=localhost \
    -e MYSQL_USER=root \
    -e MYSQL_PASSWORD=change_me \
    --init \
    docker.io/zabbix/zabbix-server-mysql:latest

podman run -it -d --pod zabbix --name zabbix_web \
    --security-opt apparmor=unconfined \
    -e DB_SERVER_HOST=localhost \
    -e MYSQL_USER=root \
    -e MYSQL_PASSWORD=change_me \
    docker.io/zabbix/zabbix-web-nginx-mysql

podman run -it -d --pod zabbix --name zabbix_mysql \
    -e MYSQL_ROOT_PASSWORD=chanpodman logs -f zabbix_webge_me \
    docker.io/library/mysql:latest

podman logs -f zabbix_web

Describe the results you received

Once the DB is initialized, the log command above shows the following output:

...
[03-Oct-2024 00:27:32] ERROR: failed to open configuration file '/etc/php83/php-fpm.conf': Permission denied (13)
[03-Oct-2024 00:27:32] ERROR: failed to load configuration file '/etc/php83/php-fpm.conf'
[03-Oct-2024 00:27:32] ERROR: FPM initialization failed
2024-10-03 00:27:32,930 WARN exited: php-fpm83 (exit status 78; not expected)
2024-10-03 00:27:32,930 WARN exited: php-fpm83 (exit status 78; not expected)
type=AVC msg=audit(1727972414.238:1922): apparmor="DENIED" operation="open" class="file" profile="php-fpm" name="/etc/php83/php.ini" pid=518361 comm="php-fpm83" requested_mask="r" denied_mask="r" fsuid=101996 ouid=1000
type=AVC msg=audit(1727972414.238:1923): apparmor="DENIED" operation="open" class="file" profile="php-fpm" name="/etc/php83/conf.d/" pid=518361 comm="php-fpm83" requested_mask="r" denied_mask="r" fsuid=101996 ouid=1000
type=AVC msg=audit(1727972414.242:1924): apparmor="DENIED" operation="open" class="file" profile="php-fpm" name="/etc/php83/php-fpm.conf" pid=518361 comm="php-fpm83" requested_mask="r" denied_mask="r" fsuid=101996 ouid=101996

Describe the results you expected

I expected php-fpm to start in the Podman container.

podman info output

$ podman version
Client:       Podman Engine
Version:      5.2.3
API Version:  5.2.3
Go Version:   go1.23.1
Built:        Tue Sep 24 13:07:25 2024
OS/Arch:      linux/amd64

$ rpm -q podman
podman-5.2.3-1.1.x86_64

$ podman info
host:
  arch: amd64
  buildahVersion: 1.37.3
  cgroupControllers:
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-1.1.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: unknown'
  cpuUtilization:
    idlePercent: 98.23
    systemPercent: 0.51
    userPercent: 1.26
  cpus: 12
  databaseBackend: sqlite
  distribution:
    distribution: opensuse-tumbleweed
    version: "20240929"
  eventLogger: journald
  freeLocks: 2008
  hostname: mercury.lan
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.11.0-1-default
  linkmode: dynamic
  logDriver: journald
  memFree: 17847189504
  memTotal: 67096227840
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.2-1.1.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.1.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.17-1.1.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-20240906.6b38f07-2.1.x86_64
    version: |
      pasta 20240906.6b38f07-2.1
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 72h 44m 59.00s (Approximately 3.00 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /home/andrew/.config/containers/storage.conf
  containerStore:
    number: 19
    paused: 0
    running: 19
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/andrew/.local/share/containers/storage
  graphRootAllocated: 996912336896
  graphRootUsed: 360553746432
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 48
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/andrew/.local/share/containers/storage/volumes
version:
  APIVersion: 5.2.3
  Built: 1727197645
  BuiltTime: Tue Sep 24 13:07:25 2024
  GitCommit: ""
  GoVersion: go1.23.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.3

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

No response

Additional information

leaf-node commented 1 month ago

Here's the apparmor config: apparmor_php-fpm.txt (The markdown formatting was broken).

rhatdan commented 1 month ago

I don't run AppArmor, I use SELinux. But perhaps: The --security-opt apparmor=unconfined option does not set any further confinement, if the process running Podman is confined, then the container will continue the confinement.0

leaf-node commented 1 month ago

As a workaround, I placed the folllowing in /etc/apparmor.d/local/php-fpm:

# vim: ft=apparmor

# for Zabbix server in podman container
/etc/php83/** r,
/usr/share/zabbix/** r,
/usr/share/php83/** r,
/etc/zabbix/** r,
/tmp/php-fpm.sock rw,
/tmp/php-fpm.pid rw,

Then ran:

systemctl reload apparmor.service
github-actions[bot] commented 2 weeks ago

A friendly reminder that this issue had no activity for 30 days.