diff options
| author | Valentin Rothberg <vrothberg@suse.com> | 2018-07-09 08:50:52 +0200 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-07-11 16:36:24 +0000 |
| commit | 06ab343bd7c113fe761631142dde4829e8aa4d40 (patch) | |
| tree | 0f38b5dd752683d59f9cfe335b748bf759a76a9c | |
| parent | 84cfdb20617ac7a5a1138375599e28cdad26b824 (diff) | |
| download | podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.gz podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.bz2 podman-06ab343bd7c113fe761631142dde4829e8aa4d40.zip | |
podman/libpod: add default AppArmor profile
Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor
come from github.com/moby/moby.
Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.
The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1063
Approved by: rhatdan
| -rw-r--r-- | Dockerfile | 4 | ||||
| -rw-r--r-- | Dockerfile.CentOS | 4 | ||||
| -rw-r--r-- | Dockerfile.Fedora | 5 | ||||
| -rw-r--r-- | Makefile | 14 | ||||
| -rw-r--r-- | cmd/podman/create.go | 52 | ||||
| -rwxr-xr-x | hack/apparmor_tag.sh | 7 | ||||
| -rwxr-xr-x | hack/dind | 33 | ||||
| -rw-r--r-- | pkg/apparmor/aaparser.go | 90 | ||||
| -rw-r--r-- | pkg/apparmor/aaparser_test.go | 75 | ||||
| -rw-r--r-- | pkg/apparmor/apparmor.go | 54 | ||||
| -rw-r--r-- | pkg/apparmor/apparmor_linux.go | 110 | ||||
| -rw-r--r-- | pkg/apparmor/apparmor_unsupported.go | 15 |
12 files changed, 457 insertions, 6 deletions
diff --git a/Dockerfile b/Dockerfile index 53db6a3bc..2a65d95a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -115,3 +115,7 @@ COPY test/policy.json /etc/containers/policy.json COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redhat.com.yaml WORKDIR /go/src/github.com/projectatomic/libpod + +# Wrap all commands in the "docker-in-docker" script to allow nested containers, +# and allow testing of apparmor. +ENTRYPOINT ["./hack/dind"] diff --git a/Dockerfile.CentOS b/Dockerfile.CentOS index ed79042e7..f17468b61 100644 --- a/Dockerfile.CentOS +++ b/Dockerfile.CentOS @@ -80,3 +80,7 @@ COPY test/policy.json /etc/containers/policy.json COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redhat.com.yaml WORKDIR /go/src/github.com/projectatomic/libpod + +# Wrap all commands in the "docker-in-docker" script to allow nested containers, +# and allow testing of apparmor. +ENTRYPOINT ["./hack/dind"] diff --git a/Dockerfile.Fedora b/Dockerfile.Fedora index 6415db32b..bc8466848 100644 --- a/Dockerfile.Fedora +++ b/Dockerfile.Fedora @@ -83,4 +83,9 @@ COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redh # Install varlink stuff RUN pip3 install varlink + WORKDIR /go/src/github.com/projectatomic/libpod + +# Wrap all commands in the "docker-in-docker" script to allow nested containers, +# and allow testing of apparmor. +ENTRYPOINT ["./hack/dind"] @@ -17,7 +17,7 @@ ETCDIR ?= ${DESTDIR}/etc ETCDIR_LIBPOD ?= ${ETCDIR}/crio TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system -BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh) varlink +BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh) $(shell hack/apparmor_tag.sh) varlink BUILDTAGS_CROSS ?= containers_image_openpgp containers_image_ostree_stub exclude_graphdriver_btrfs exclude_graphdriver_devicemapper exclude_graphdriver_overlay ifneq (,$(findstring varlink,$(BUILDTAGS))) PODMAN_VARLINK_DEPENDENCIES = cmd/podman/varlink/ioprojectatomicpodman.go @@ -38,6 +38,8 @@ BUILD_INFO ?= $(shell date +%s) LDFLAGS_PODMAN ?= $(LDFLAGS) -X main.gitCommit=$(GIT_COMMIT) -X main.buildInfo=$(BUILD_INFO) ISODATE ?= $(shell date --iso-8601) LIBSECCOMP_COMMIT := release-2.3 +# Wrapper to setup mounts required by AppArmor +ENTRYPOINT := ./hack/dind # If GOPATH not specified, use one in the local directory ifeq ($(GOPATH),) @@ -137,13 +139,13 @@ libpodimage: docker build -t ${LIBPOD_IMAGE} . dbuild: libpodimage - docker run --name=${LIBPOD_INSTANCE} --privileged ${LIBPOD_IMAGE} -v ${PWD}:/go/src/${PROJECT} --rm make binaries + docker run --name=${LIBPOD_INSTANCE} --privileged ${LIBPOD_IMAGE} -v ${PWD}:/go/src/${PROJECT} --rm ${ENTRYPOINT} make binaries test: libpodimage - docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} make clean all localunit localintegration + docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} ${ENTRYPOINT} make clean all localunit localintegration integration: libpodimage - docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} make clean all localintegration + docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} ${ENTRYPOINT} make clean all localintegration integration.fedora: DIST=Fedora sh .papr_prepare.sh @@ -152,10 +154,10 @@ integration.centos: DIST=CentOS sh .papr_prepare.sh shell: libpodimage - docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -it --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} sh + docker run --tmpfs -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -it --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} ${ENTRYPOINT} sh testunit: libpodimage - docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} make localunit + docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} ${ENTRYPOINT} make localunit localunit: varlink_generate $(GO) test -tags "$(BUILDTAGS)" -cover $(PACKAGES) diff --git a/cmd/podman/create.go b/cmd/podman/create.go index d61f85442..6a70e3f43 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -19,9 +19,11 @@ import ( "github.com/projectatomic/libpod/libpod" "github.com/projectatomic/libpod/libpod/image" ann "github.com/projectatomic/libpod/pkg/annotations" + "github.com/projectatomic/libpod/pkg/apparmor" "github.com/projectatomic/libpod/pkg/inspect" cc "github.com/projectatomic/libpod/pkg/spec" "github.com/projectatomic/libpod/pkg/util" + libpodVersion "github.com/projectatomic/libpod/version" "github.com/sirupsen/logrus" "github.com/urfave/cli" ) @@ -194,6 +196,56 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error { } } + if config.ApparmorProfile == "" { + // Unless specified otherwise, make sure that the default AppArmor + // profile is installed. To avoid redundantly loading the profile + // on each invocation, check if it's loaded before installing it. + // Suffix the profile with the current libpod version to allow + // loading the new, potentially updated profile after an update. + profile := fmt.Sprintf("%s-%s", apparmor.DefaultLibpodProfile, libpodVersion.Version) + + loadProfile := func() error { + isLoaded, err := apparmor.IsLoaded(profile) + if err != nil { + return err + } + if !isLoaded { + err = apparmor.InstallDefault(profile) + if err != nil { + return err + } + + } + return nil + } + + if err := loadProfile(); err != nil { + switch err { + case apparmor.ErrApparmorUnsupported: + // do not set the profile when AppArmor isn't supported + logrus.Debugf("AppArmor is not supported: setting empty profile") + default: + return err + } + } else { + logrus.Infof("Sucessfully loaded AppAmor profile '%s'", profile) + config.ApparmorProfile = profile + } + } else { + isLoaded, err := apparmor.IsLoaded(config.ApparmorProfile) + if err != nil { + switch err { + case apparmor.ErrApparmorUnsupported: + return fmt.Errorf("profile specified but AppArmor is not supported") + default: + return fmt.Errorf("error checking if AppArmor profile is loaded: %v", err) + } + } + if !isLoaded { + return fmt.Errorf("specified AppArmor profile '%s' is not loaded", config.ApparmorProfile) + } + } + if config.SeccompProfilePath == "" { if _, err := os.Stat(libpod.SeccompOverridePath); err == nil { config.SeccompProfilePath = libpod.SeccompOverridePath diff --git a/hack/apparmor_tag.sh b/hack/apparmor_tag.sh new file mode 100755 index 000000000..6d4bec91b --- /dev/null +++ b/hack/apparmor_tag.sh @@ -0,0 +1,7 @@ +#!/bin/bash +if pkg-config libapparmor 2> /dev/null ; then + # Travis CI does not support AppArmor, so we cannot run tests there. + if [ -z "$TRAVIS" ]; then + echo apparmor + fi +fi diff --git a/hack/dind b/hack/dind new file mode 100755 index 000000000..3254f9dbe --- /dev/null +++ b/hack/dind @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -e + +# DinD: a wrapper script which allows docker to be run inside a docker container. +# Original version by Jerome Petazzoni <jerome@docker.com> +# See the blog post: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/ +# +# This script should be executed inside a docker container in privileged mode +# ('docker run --privileged', introduced in docker 0.6). + +# Usage: dind CMD [ARG...] + +# apparmor sucks and Docker needs to know that it's in a container (c) @tianon +export container=docker + +if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then + mount -t securityfs none /sys/kernel/security || { + echo >&2 'Could not mount /sys/kernel/security.' + echo >&2 'AppArmor detection and --privileged mode might break.' + } +fi + +# Mount /tmp (conditionally) +if ! mountpoint -q /tmp; then + mount -t tmpfs none /tmp +fi + +if [ $# -gt 0 ]; then + exec "$@" +fi + +echo >&2 'ERROR: No command specified.' +echo >&2 'You probably want to run hack/make.sh, or maybe a shell?' diff --git a/pkg/apparmor/aaparser.go b/pkg/apparmor/aaparser.go new file mode 100644 index 000000000..cec9c4885 --- /dev/null +++ b/pkg/apparmor/aaparser.go @@ -0,0 +1,90 @@ +// +build linux,apparmor + +package apparmor + +import ( + "fmt" + "os/exec" + "strconv" + "strings" +) + +const ( + binary = "apparmor_parser" +) + +// getVersion returns the major and minor version of apparmor_parser. +func getVersion() (int, error) { + output, err := cmd("", "--version") + if err != nil { + return -1, err + } + + return parseVersion(output) +} + +// loadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to +// replace the profile. The `-K` is necessary to make sure that apparmor_parser +// doesn't try to write to a read-only filesystem. +func loadProfile(profilePath string) error { + _, err := cmd("", "-Kr", profilePath) + return err +} + +// cmd runs `apparmor_parser` with the passed arguments. +func cmd(dir string, arg ...string) (string, error) { + c := exec.Command(binary, arg...) + c.Dir = dir + + output, err := c.CombinedOutput() + if err != nil { + return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err) + } + + return string(output), nil +} + +// parseVersion takes the output from `apparmor_parser --version` and returns +// a representation of the {major, minor, patch} version as a single number of +// the form MMmmPPP {major, minor, patch}. +func parseVersion(output string) (int, error) { + // output is in the form of the following: + // AppArmor parser version 2.9.1 + // Copyright (C) 1999-2008 Novell Inc. + // Copyright 2009-2012 Canonical Ltd. + + lines := strings.SplitN(output, "\n", 2) + words := strings.Split(lines[0], " ") + version := words[len(words)-1] + + // split by major minor version + v := strings.Split(version, ".") + if len(v) == 0 || len(v) > 3 { + return -1, fmt.Errorf("parsing version failed for output: `%s`", output) + } + + // Default the versions to 0. + var majorVersion, minorVersion, patchLevel int + + majorVersion, err := strconv.Atoi(v[0]) + if err != nil { + return -1, err + } + + if len(v) > 1 { + minorVersion, err = strconv.Atoi(v[1]) + if err != nil { + return -1, err + } + } + if len(v) > 2 { + patchLevel, err = strconv.Atoi(v[2]) + if err != nil { + return -1, err + } + } + + // major*10^5 + minor*10^3 + patch*10^0 + numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel + return numericVersion, nil +} diff --git a/pkg/apparmor/aaparser_test.go b/pkg/apparmor/aaparser_test.go new file mode 100644 index 000000000..9d97969c7 --- /dev/null +++ b/pkg/apparmor/aaparser_test.go @@ -0,0 +1,75 @@ +// +build linux,apparmor + +package apparmor + +import ( + "testing" +) + +type versionExpected struct { + output string + version int +} + +func TestParseVersion(t *testing.T) { + versions := []versionExpected{ + { + output: `AppArmor parser version 2.10 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 210000, + }, + { + output: `AppArmor parser version 2.8 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 208000, + }, + { + output: `AppArmor parser version 2.20 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 220000, + }, + { + output: `AppArmor parser version 2.05 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 205000, + }, + { + output: `AppArmor parser version 2.9.95 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 209095, + }, + { + output: `AppArmor parser version 3.14.159 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 314159, + }, + } + + for _, v := range versions { + version, err := parseVersion(v.output) + if err != nil { + t.Fatalf("expected error to be nil for %#v, got: %v", v, err) + } + if version != v.version { + t.Fatalf("expected version to be %d, was %d, for: %#v\n", v.version, version, v) + } + } +} diff --git a/pkg/apparmor/apparmor.go b/pkg/apparmor/apparmor.go new file mode 100644 index 000000000..1c205f68a --- /dev/null +++ b/pkg/apparmor/apparmor.go @@ -0,0 +1,54 @@ +package apparmor + +import ( + "errors" +) + +var ( + // profileDirectory is the file store for apparmor profiles and macros. + profileDirectory = "/etc/apparmor.d" + // DefaultLibpodProfile is the name of default libpod AppArmor profile. + DefaultLibpodProfile = "libpod-default" + // ErrApparmorUnsupported indicates that AppArmor support is not supported. + ErrApparmorUnsupported = errors.New("AppArmor is not supported") +) + +const libpodProfileTemplate = ` +{{range $value := .Imports}} +{{$value}} +{{end}} + +profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { +{{range $value := .InnerImports}} + {{$value}} +{{end}} + + network, + capability, + file, + umount, + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc/<number>/** or /proc/sys/** + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/kcore rwklx, + + deny mount, + + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/** rwklx, + deny /sys/kernel/security/** rwklx, + +{{if ge .Version 208095}} + # suppress ptrace denials when using using 'ps' inside a container + ptrace (trace,read) peer={{.Name}}, +{{end}} +} +` diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go new file mode 100644 index 000000000..6e8b7f312 --- /dev/null +++ b/pkg/apparmor/apparmor_linux.go @@ -0,0 +1,110 @@ +// +build linux,apparmor + +package apparmor + +import ( + "bufio" + "io" + "io/ioutil" + "os" + "path" + "strings" + "text/template" +) + +// profileData holds information about the given profile for generation. +type profileData struct { + // Name is profile name. + Name string + // Imports defines the apparmor functions to import, before defining the profile. + Imports []string + // InnerImports defines the apparmor functions to import in the profile. + InnerImports []string + // Version is the {major, minor, patch} version of apparmor_parser as a single number. + Version int +} + +// generateDefault creates an apparmor profile from ProfileData. +func (p *profileData) generateDefault(out io.Writer) error { + compiled, err := template.New("apparmor_profile").Parse(libpodProfileTemplate) + if err != nil { + return err + } + + if macroExists("tunables/global") { + p.Imports = append(p.Imports, "#include <tunables/global>") + } else { + p.Imports = append(p.Imports, "@{PROC}=/proc/") + } + + if macroExists("abstractions/base") { + p.InnerImports = append(p.InnerImports, "#include <abstractions/base>") + } + + ver, err := getVersion() + if err != nil { + return err + } + p.Version = ver + + return compiled.Execute(out, p) +} + +// macrosExists checks if the passed macro exists. +func macroExists(m string) bool { + _, err := os.Stat(path.Join(profileDirectory, m)) + return err == nil +} + +// InstallDefault generates a default profile in a temp directory determined by +// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'. +func InstallDefault(name string) error { + p := profileData{ + Name: name, + } + + // Install to a temporary directory. + f, err := ioutil.TempFile("", name) + if err != nil { + return err + } + profilePath := f.Name() + + defer f.Close() + defer os.Remove(profilePath) + + if err := p.generateDefault(f); err != nil { + return err + } + + return loadProfile(profilePath) +} + +// IsLoaded checks if a profile with the given name has been loaded into the +// kernel. +func IsLoaded(name string) (bool, error) { + file, err := os.Open("/sys/kernel/security/apparmor/profiles") + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, err + } + defer file.Close() + + r := bufio.NewReader(file) + for { + p, err := r.ReadString('\n') + if err == io.EOF { + break + } + if err != nil { + return false, err + } + if strings.HasPrefix(p, name+" ") { + return true, nil + } + } + + return false, nil +} diff --git a/pkg/apparmor/apparmor_unsupported.go b/pkg/apparmor/apparmor_unsupported.go new file mode 100644 index 000000000..0f1ab9464 --- /dev/null +++ b/pkg/apparmor/apparmor_unsupported.go @@ -0,0 +1,15 @@ +// +build !linux !apparmor + +package apparmor + +// InstallDefault generates a default profile in a temp directory determined by +// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'. +func InstallDefault(name string) error { + return ErrApparmorUnsupported +} + +// IsLoaded checks if a profile with the given name has been loaded into the +// kernel. +func IsLoaded(name string) (bool, error) { + return false, ErrApparmorUnsupported +} |