diff options
author | Valentin Rothberg <vrothberg@suse.com> | 2018-07-09 08:50:52 +0200 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-07-11 16:36:24 +0000 |
commit | 06ab343bd7c113fe761631142dde4829e8aa4d40 (patch) | |
tree | 0f38b5dd752683d59f9cfe335b748bf759a76a9c /pkg/apparmor | |
parent | 84cfdb20617ac7a5a1138375599e28cdad26b824 (diff) | |
download | podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.gz podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.bz2 podman-06ab343bd7c113fe761631142dde4829e8aa4d40.zip |
podman/libpod: add default AppArmor profile
Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor
come from github.com/moby/moby.
Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.
The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1063
Approved by: rhatdan
Diffstat (limited to 'pkg/apparmor')
-rw-r--r-- | pkg/apparmor/aaparser.go | 90 | ||||
-rw-r--r-- | pkg/apparmor/aaparser_test.go | 75 | ||||
-rw-r--r-- | pkg/apparmor/apparmor.go | 54 | ||||
-rw-r--r-- | pkg/apparmor/apparmor_linux.go | 110 | ||||
-rw-r--r-- | pkg/apparmor/apparmor_unsupported.go | 15 |
5 files changed, 344 insertions, 0 deletions
diff --git a/pkg/apparmor/aaparser.go b/pkg/apparmor/aaparser.go new file mode 100644 index 000000000..cec9c4885 --- /dev/null +++ b/pkg/apparmor/aaparser.go @@ -0,0 +1,90 @@ +// +build linux,apparmor + +package apparmor + +import ( + "fmt" + "os/exec" + "strconv" + "strings" +) + +const ( + binary = "apparmor_parser" +) + +// getVersion returns the major and minor version of apparmor_parser. +func getVersion() (int, error) { + output, err := cmd("", "--version") + if err != nil { + return -1, err + } + + return parseVersion(output) +} + +// loadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to +// replace the profile. The `-K` is necessary to make sure that apparmor_parser +// doesn't try to write to a read-only filesystem. +func loadProfile(profilePath string) error { + _, err := cmd("", "-Kr", profilePath) + return err +} + +// cmd runs `apparmor_parser` with the passed arguments. +func cmd(dir string, arg ...string) (string, error) { + c := exec.Command(binary, arg...) + c.Dir = dir + + output, err := c.CombinedOutput() + if err != nil { + return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err) + } + + return string(output), nil +} + +// parseVersion takes the output from `apparmor_parser --version` and returns +// a representation of the {major, minor, patch} version as a single number of +// the form MMmmPPP {major, minor, patch}. +func parseVersion(output string) (int, error) { + // output is in the form of the following: + // AppArmor parser version 2.9.1 + // Copyright (C) 1999-2008 Novell Inc. + // Copyright 2009-2012 Canonical Ltd. + + lines := strings.SplitN(output, "\n", 2) + words := strings.Split(lines[0], " ") + version := words[len(words)-1] + + // split by major minor version + v := strings.Split(version, ".") + if len(v) == 0 || len(v) > 3 { + return -1, fmt.Errorf("parsing version failed for output: `%s`", output) + } + + // Default the versions to 0. + var majorVersion, minorVersion, patchLevel int + + majorVersion, err := strconv.Atoi(v[0]) + if err != nil { + return -1, err + } + + if len(v) > 1 { + minorVersion, err = strconv.Atoi(v[1]) + if err != nil { + return -1, err + } + } + if len(v) > 2 { + patchLevel, err = strconv.Atoi(v[2]) + if err != nil { + return -1, err + } + } + + // major*10^5 + minor*10^3 + patch*10^0 + numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel + return numericVersion, nil +} diff --git a/pkg/apparmor/aaparser_test.go b/pkg/apparmor/aaparser_test.go new file mode 100644 index 000000000..9d97969c7 --- /dev/null +++ b/pkg/apparmor/aaparser_test.go @@ -0,0 +1,75 @@ +// +build linux,apparmor + +package apparmor + +import ( + "testing" +) + +type versionExpected struct { + output string + version int +} + +func TestParseVersion(t *testing.T) { + versions := []versionExpected{ + { + output: `AppArmor parser version 2.10 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 210000, + }, + { + output: `AppArmor parser version 2.8 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 208000, + }, + { + output: `AppArmor parser version 2.20 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 220000, + }, + { + output: `AppArmor parser version 2.05 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 205000, + }, + { + output: `AppArmor parser version 2.9.95 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 209095, + }, + { + output: `AppArmor parser version 3.14.159 +Copyright (C) 1999-2008 Novell Inc. +Copyright 2009-2012 Canonical Ltd. + +`, + version: 314159, + }, + } + + for _, v := range versions { + version, err := parseVersion(v.output) + if err != nil { + t.Fatalf("expected error to be nil for %#v, got: %v", v, err) + } + if version != v.version { + t.Fatalf("expected version to be %d, was %d, for: %#v\n", v.version, version, v) + } + } +} diff --git a/pkg/apparmor/apparmor.go b/pkg/apparmor/apparmor.go new file mode 100644 index 000000000..1c205f68a --- /dev/null +++ b/pkg/apparmor/apparmor.go @@ -0,0 +1,54 @@ +package apparmor + +import ( + "errors" +) + +var ( + // profileDirectory is the file store for apparmor profiles and macros. + profileDirectory = "/etc/apparmor.d" + // DefaultLibpodProfile is the name of default libpod AppArmor profile. + DefaultLibpodProfile = "libpod-default" + // ErrApparmorUnsupported indicates that AppArmor support is not supported. + ErrApparmorUnsupported = errors.New("AppArmor is not supported") +) + +const libpodProfileTemplate = ` +{{range $value := .Imports}} +{{$value}} +{{end}} + +profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { +{{range $value := .InnerImports}} + {{$value}} +{{end}} + + network, + capability, + file, + umount, + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc/<number>/** or /proc/sys/** + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/kcore rwklx, + + deny mount, + + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/** rwklx, + deny /sys/kernel/security/** rwklx, + +{{if ge .Version 208095}} + # suppress ptrace denials when using using 'ps' inside a container + ptrace (trace,read) peer={{.Name}}, +{{end}} +} +` diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go new file mode 100644 index 000000000..6e8b7f312 --- /dev/null +++ b/pkg/apparmor/apparmor_linux.go @@ -0,0 +1,110 @@ +// +build linux,apparmor + +package apparmor + +import ( + "bufio" + "io" + "io/ioutil" + "os" + "path" + "strings" + "text/template" +) + +// profileData holds information about the given profile for generation. +type profileData struct { + // Name is profile name. + Name string + // Imports defines the apparmor functions to import, before defining the profile. + Imports []string + // InnerImports defines the apparmor functions to import in the profile. + InnerImports []string + // Version is the {major, minor, patch} version of apparmor_parser as a single number. + Version int +} + +// generateDefault creates an apparmor profile from ProfileData. +func (p *profileData) generateDefault(out io.Writer) error { + compiled, err := template.New("apparmor_profile").Parse(libpodProfileTemplate) + if err != nil { + return err + } + + if macroExists("tunables/global") { + p.Imports = append(p.Imports, "#include <tunables/global>") + } else { + p.Imports = append(p.Imports, "@{PROC}=/proc/") + } + + if macroExists("abstractions/base") { + p.InnerImports = append(p.InnerImports, "#include <abstractions/base>") + } + + ver, err := getVersion() + if err != nil { + return err + } + p.Version = ver + + return compiled.Execute(out, p) +} + +// macrosExists checks if the passed macro exists. +func macroExists(m string) bool { + _, err := os.Stat(path.Join(profileDirectory, m)) + return err == nil +} + +// InstallDefault generates a default profile in a temp directory determined by +// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'. +func InstallDefault(name string) error { + p := profileData{ + Name: name, + } + + // Install to a temporary directory. + f, err := ioutil.TempFile("", name) + if err != nil { + return err + } + profilePath := f.Name() + + defer f.Close() + defer os.Remove(profilePath) + + if err := p.generateDefault(f); err != nil { + return err + } + + return loadProfile(profilePath) +} + +// IsLoaded checks if a profile with the given name has been loaded into the +// kernel. +func IsLoaded(name string) (bool, error) { + file, err := os.Open("/sys/kernel/security/apparmor/profiles") + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, err + } + defer file.Close() + + r := bufio.NewReader(file) + for { + p, err := r.ReadString('\n') + if err == io.EOF { + break + } + if err != nil { + return false, err + } + if strings.HasPrefix(p, name+" ") { + return true, nil + } + } + + return false, nil +} diff --git a/pkg/apparmor/apparmor_unsupported.go b/pkg/apparmor/apparmor_unsupported.go new file mode 100644 index 000000000..0f1ab9464 --- /dev/null +++ b/pkg/apparmor/apparmor_unsupported.go @@ -0,0 +1,15 @@ +// +build !linux !apparmor + +package apparmor + +// InstallDefault generates a default profile in a temp directory determined by +// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'. +func InstallDefault(name string) error { + return ErrApparmorUnsupported +} + +// IsLoaded checks if a profile with the given name has been loaded into the +// kernel. +func IsLoaded(name string) (bool, error) { + return false, ErrApparmorUnsupported +} |