Use apparmor_parser directly

The current load script does alot of things.  If it does not find the
parser loaded on the system it will just exit 0 and not load the
profile.  We think it should fail loudly if it cannot load the profile
and apparmor is enabled on the system.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-04-13 14:20:04 +00:00
parent 0868f77370
commit 811700f9f4
2 changed files with 21 additions and 35 deletions

View File

@ -8,12 +8,16 @@ package apparmor
import "C" import "C"
import ( import (
"io/ioutil" "io/ioutil"
"os"
"unsafe" "unsafe"
) )
func IsEnabled() bool { func IsEnabled() bool {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil {
return err == nil && len(buf) > 1 && buf[0] == 'Y' buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
return err == nil && len(buf) > 1 && buf[0] == 'Y'
}
return false
} }
func ApplyProfile(pid int, name string) error { func ApplyProfile(pid int, name string) error {

View File

@ -14,8 +14,6 @@ const (
) )
const DefaultProfile = ` const DefaultProfile = `
# AppArmor profile from lxc for containers.
#include <tunables/global> #include <tunables/global>
profile docker-default flags=(attach_disconnected,mediate_deleted) { profile docker-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base> #include <abstractions/base>
@ -24,43 +22,28 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
file, file,
umount, umount,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs, mount fstype=tmpfs,
# allow mqueue mounts everywhere
mount fstype=mqueue, mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*, mount fstype=fuse.*,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/, mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
# block some other dangerous paths deny @{PROC}/sys/fs/** wklx,
deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx, deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx, deny @{PROC}/kmem rwklx,
deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
deny @{PROC}/sys/kernel/*/** wklx, deny @{PROC}/sys/kernel/*/** wklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow deny mount options=(ro, remount) -> /,
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/, deny mount fstype=devpts,
mount fstype=sysfs -> /sys/,
deny /sys/[^f]*/** wklx, deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx, deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx, deny /sys/fs/[^c]*/** wklx,
@ -68,12 +51,6 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
deny /sys/fs/cg[^r]*/** wklx, deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/efi/efivars/** rwklx, deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx, deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
} }
` `
@ -101,11 +78,13 @@ func InstallDefaultProfile(backupPath string) error {
return err return err
} }
defer f.Close() defer f.Close()
src, err := os.Open(DefaultProfilePath) src, err := os.Open(DefaultProfilePath)
if err != nil { if err != nil {
return err return err
} }
defer src.Close() defer src.Close()
if _, err := io.Copy(f, src); err != nil { if _, err := io.Copy(f, src); err != nil {
return err return err
} }
@ -120,7 +99,10 @@ func InstallDefaultProfile(backupPath string) error {
return err return err
} }
output, err := exec.Command("/lib/init/apparmor-profile-load", "docker").CombinedOutput() // the current functionality of the load script is the exit 0 if the parser does not exist.
// we think we should fail loudly if you have apparmor enabled but not the parser to load
// the profile for use.
output, err := exec.Command("/sbin/apparmor_parser", "-r", "-W", "docker").CombinedOutput()
if err != nil { if err != nil {
return fmt.Errorf("Error loading docker profile: %s (%s)", err, output) return fmt.Errorf("Error loading docker profile: %s (%s)", err, output)
} }