Use apparmor_parser directly
The current load script does alot of things. If it does not find the parser loaded on the system it will just exit 0 and not load the profile. We think it should fail loudly if it cannot load the profile and apparmor is enabled on the system. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
parent
0868f77370
commit
811700f9f4
|
@ -8,12 +8,16 @@ package apparmor
|
||||||
import "C"
|
import "C"
|
||||||
import (
|
import (
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
"unsafe"
|
"unsafe"
|
||||||
)
|
)
|
||||||
|
|
||||||
func IsEnabled() bool {
|
func IsEnabled() bool {
|
||||||
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
|
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil {
|
||||||
return err == nil && len(buf) > 1 && buf[0] == 'Y'
|
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
|
||||||
|
return err == nil && len(buf) > 1 && buf[0] == 'Y'
|
||||||
|
}
|
||||||
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func ApplyProfile(pid int, name string) error {
|
func ApplyProfile(pid int, name string) error {
|
||||||
|
|
|
@ -14,8 +14,6 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
const DefaultProfile = `
|
const DefaultProfile = `
|
||||||
# AppArmor profile from lxc for containers.
|
|
||||||
|
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
profile docker-default flags=(attach_disconnected,mediate_deleted) {
|
profile docker-default flags=(attach_disconnected,mediate_deleted) {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
|
@ -24,43 +22,28 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
|
||||||
file,
|
file,
|
||||||
umount,
|
umount,
|
||||||
|
|
||||||
# ignore DENIED message on / remount
|
|
||||||
deny mount options=(ro, remount) -> /,
|
|
||||||
|
|
||||||
# allow tmpfs mounts everywhere
|
|
||||||
mount fstype=tmpfs,
|
mount fstype=tmpfs,
|
||||||
|
|
||||||
# allow mqueue mounts everywhere
|
|
||||||
mount fstype=mqueue,
|
mount fstype=mqueue,
|
||||||
|
|
||||||
# allow fuse mounts everywhere
|
|
||||||
mount fstype=fuse.*,
|
mount fstype=fuse.*,
|
||||||
|
|
||||||
# allow bind mount of /lib/init/fstab for lxcguest
|
|
||||||
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
|
|
||||||
|
|
||||||
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
|
|
||||||
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
|
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
|
||||||
deny @{PROC}/sys/fs/** wklx,
|
|
||||||
|
|
||||||
# allow efivars to be mounted, writing to it will be blocked though
|
|
||||||
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
|
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
|
||||||
|
mount fstype=fusectl -> /sys/fs/fuse/connections/,
|
||||||
|
mount fstype=securityfs -> /sys/kernel/security/,
|
||||||
|
mount fstype=debugfs -> /sys/kernel/debug/,
|
||||||
|
mount fstype=proc -> /proc/,
|
||||||
|
mount fstype=sysfs -> /sys/,
|
||||||
|
|
||||||
# block some other dangerous paths
|
deny @{PROC}/sys/fs/** wklx,
|
||||||
deny @{PROC}/sysrq-trigger rwklx,
|
deny @{PROC}/sysrq-trigger rwklx,
|
||||||
deny @{PROC}/mem rwklx,
|
deny @{PROC}/mem rwklx,
|
||||||
deny @{PROC}/kmem rwklx,
|
deny @{PROC}/kmem rwklx,
|
||||||
deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
|
deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
|
||||||
deny @{PROC}/sys/kernel/*/** wklx,
|
deny @{PROC}/sys/kernel/*/** wklx,
|
||||||
|
|
||||||
# deny writes in /sys except for /sys/fs/cgroup, also allow
|
deny mount options=(ro, remount) -> /,
|
||||||
# fusectl, securityfs and debugfs to be mounted there (read-only)
|
|
||||||
mount fstype=fusectl -> /sys/fs/fuse/connections/,
|
|
||||||
mount fstype=securityfs -> /sys/kernel/security/,
|
|
||||||
mount fstype=debugfs -> /sys/kernel/debug/,
|
|
||||||
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
|
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
|
||||||
mount fstype=proc -> /proc/,
|
deny mount fstype=devpts,
|
||||||
mount fstype=sysfs -> /sys/,
|
|
||||||
deny /sys/[^f]*/** wklx,
|
deny /sys/[^f]*/** wklx,
|
||||||
deny /sys/f[^s]*/** wklx,
|
deny /sys/f[^s]*/** wklx,
|
||||||
deny /sys/fs/[^c]*/** wklx,
|
deny /sys/fs/[^c]*/** wklx,
|
||||||
|
@ -68,12 +51,6 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
|
||||||
deny /sys/fs/cg[^r]*/** wklx,
|
deny /sys/fs/cg[^r]*/** wklx,
|
||||||
deny /sys/firmware/efi/efivars/** rwklx,
|
deny /sys/firmware/efi/efivars/** rwklx,
|
||||||
deny /sys/kernel/security/** rwklx,
|
deny /sys/kernel/security/** rwklx,
|
||||||
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
|
|
||||||
|
|
||||||
# the container may never be allowed to mount devpts. If it does, it
|
|
||||||
# will remount the host's devpts. We could allow it to do it with
|
|
||||||
# the newinstance option (but, right now, we don't).
|
|
||||||
deny mount fstype=devpts,
|
|
||||||
}
|
}
|
||||||
`
|
`
|
||||||
|
|
||||||
|
@ -101,11 +78,13 @@ func InstallDefaultProfile(backupPath string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer f.Close()
|
defer f.Close()
|
||||||
|
|
||||||
src, err := os.Open(DefaultProfilePath)
|
src, err := os.Open(DefaultProfilePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer src.Close()
|
defer src.Close()
|
||||||
|
|
||||||
if _, err := io.Copy(f, src); err != nil {
|
if _, err := io.Copy(f, src); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -120,7 +99,10 @@ func InstallDefaultProfile(backupPath string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
output, err := exec.Command("/lib/init/apparmor-profile-load", "docker").CombinedOutput()
|
// the current functionality of the load script is the exit 0 if the parser does not exist.
|
||||||
|
// we think we should fail loudly if you have apparmor enabled but not the parser to load
|
||||||
|
// the profile for use.
|
||||||
|
output, err := exec.Command("/sbin/apparmor_parser", "-r", "-W", "docker").CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Error loading docker profile: %s (%s)", err, output)
|
return fmt.Errorf("Error loading docker profile: %s (%s)", err, output)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue