summaryrefslogtreecommitdiff
path: root/pkg/apparmor
diff options
context:
space:
mode:
authorValentin Rothberg <vrothberg@suse.com>2018-07-09 08:50:52 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-07-11 16:36:24 +0000
commit06ab343bd7c113fe761631142dde4829e8aa4d40 (patch)
tree0f38b5dd752683d59f9cfe335b748bf759a76a9c /pkg/apparmor
parent84cfdb20617ac7a5a1138375599e28cdad26b824 (diff)
downloadpodman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.gz
podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.bz2
podman-06ab343bd7c113fe761631142dde4829e8aa4d40.zip
podman/libpod: add default AppArmor profile
Make users of libpod more secure by adding the libpod/apparmor package to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor come from github.com/moby/moby. Also check if a specified AppArmor profile is actually loaded and throw an error if necessary. The default profile is loaded only on Linux builds with the `apparmor` buildtag enabled. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1063 Approved by: rhatdan
Diffstat (limited to 'pkg/apparmor')
-rw-r--r--pkg/apparmor/aaparser.go90
-rw-r--r--pkg/apparmor/aaparser_test.go75
-rw-r--r--pkg/apparmor/apparmor.go54
-rw-r--r--pkg/apparmor/apparmor_linux.go110
-rw-r--r--pkg/apparmor/apparmor_unsupported.go15
5 files changed, 344 insertions, 0 deletions
diff --git a/pkg/apparmor/aaparser.go b/pkg/apparmor/aaparser.go
new file mode 100644
index 000000000..cec9c4885
--- /dev/null
+++ b/pkg/apparmor/aaparser.go
@@ -0,0 +1,90 @@
+// +build linux,apparmor
+
+package apparmor
+
+import (
+ "fmt"
+ "os/exec"
+ "strconv"
+ "strings"
+)
+
+const (
+ binary = "apparmor_parser"
+)
+
+// getVersion returns the major and minor version of apparmor_parser.
+func getVersion() (int, error) {
+ output, err := cmd("", "--version")
+ if err != nil {
+ return -1, err
+ }
+
+ return parseVersion(output)
+}
+
+// loadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to
+// replace the profile. The `-K` is necessary to make sure that apparmor_parser
+// doesn't try to write to a read-only filesystem.
+func loadProfile(profilePath string) error {
+ _, err := cmd("", "-Kr", profilePath)
+ return err
+}
+
+// cmd runs `apparmor_parser` with the passed arguments.
+func cmd(dir string, arg ...string) (string, error) {
+ c := exec.Command(binary, arg...)
+ c.Dir = dir
+
+ output, err := c.CombinedOutput()
+ if err != nil {
+ return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
+ }
+
+ return string(output), nil
+}
+
+// parseVersion takes the output from `apparmor_parser --version` and returns
+// a representation of the {major, minor, patch} version as a single number of
+// the form MMmmPPP {major, minor, patch}.
+func parseVersion(output string) (int, error) {
+ // output is in the form of the following:
+ // AppArmor parser version 2.9.1
+ // Copyright (C) 1999-2008 Novell Inc.
+ // Copyright 2009-2012 Canonical Ltd.
+
+ lines := strings.SplitN(output, "\n", 2)
+ words := strings.Split(lines[0], " ")
+ version := words[len(words)-1]
+
+ // split by major minor version
+ v := strings.Split(version, ".")
+ if len(v) == 0 || len(v) > 3 {
+ return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
+ }
+
+ // Default the versions to 0.
+ var majorVersion, minorVersion, patchLevel int
+
+ majorVersion, err := strconv.Atoi(v[0])
+ if err != nil {
+ return -1, err
+ }
+
+ if len(v) > 1 {
+ minorVersion, err = strconv.Atoi(v[1])
+ if err != nil {
+ return -1, err
+ }
+ }
+ if len(v) > 2 {
+ patchLevel, err = strconv.Atoi(v[2])
+ if err != nil {
+ return -1, err
+ }
+ }
+
+ // major*10^5 + minor*10^3 + patch*10^0
+ numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
+ return numericVersion, nil
+}
diff --git a/pkg/apparmor/aaparser_test.go b/pkg/apparmor/aaparser_test.go
new file mode 100644
index 000000000..9d97969c7
--- /dev/null
+++ b/pkg/apparmor/aaparser_test.go
@@ -0,0 +1,75 @@
+// +build linux,apparmor
+
+package apparmor
+
+import (
+ "testing"
+)
+
+type versionExpected struct {
+ output string
+ version int
+}
+
+func TestParseVersion(t *testing.T) {
+ versions := []versionExpected{
+ {
+ output: `AppArmor parser version 2.10
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+ version: 210000,
+ },
+ {
+ output: `AppArmor parser version 2.8
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+ version: 208000,
+ },
+ {
+ output: `AppArmor parser version 2.20
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+ version: 220000,
+ },
+ {
+ output: `AppArmor parser version 2.05
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+ version: 205000,
+ },
+ {
+ output: `AppArmor parser version 2.9.95
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+ version: 209095,
+ },
+ {
+ output: `AppArmor parser version 3.14.159
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+ version: 314159,
+ },
+ }
+
+ for _, v := range versions {
+ version, err := parseVersion(v.output)
+ if err != nil {
+ t.Fatalf("expected error to be nil for %#v, got: %v", v, err)
+ }
+ if version != v.version {
+ t.Fatalf("expected version to be %d, was %d, for: %#v\n", v.version, version, v)
+ }
+ }
+}
diff --git a/pkg/apparmor/apparmor.go b/pkg/apparmor/apparmor.go
new file mode 100644
index 000000000..1c205f68a
--- /dev/null
+++ b/pkg/apparmor/apparmor.go
@@ -0,0 +1,54 @@
+package apparmor
+
+import (
+ "errors"
+)
+
+var (
+ // profileDirectory is the file store for apparmor profiles and macros.
+ profileDirectory = "/etc/apparmor.d"
+ // DefaultLibpodProfile is the name of default libpod AppArmor profile.
+ DefaultLibpodProfile = "libpod-default"
+ // ErrApparmorUnsupported indicates that AppArmor support is not supported.
+ ErrApparmorUnsupported = errors.New("AppArmor is not supported")
+)
+
+const libpodProfileTemplate = `
+{{range $value := .Imports}}
+{{$value}}
+{{end}}
+
+profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+{{range $value := .InnerImports}}
+ {{$value}}
+{{end}}
+
+ network,
+ capability,
+ file,
+ umount,
+
+ deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
+ # deny write to files not in /proc/<number>/** or /proc/sys/**
+ deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
+ deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
+ deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
+ deny @{PROC}/sysrq-trigger rwklx,
+ deny @{PROC}/kcore rwklx,
+
+ deny mount,
+
+ deny /sys/[^f]*/** wklx,
+ deny /sys/f[^s]*/** wklx,
+ deny /sys/fs/[^c]*/** wklx,
+ deny /sys/fs/c[^g]*/** wklx,
+ deny /sys/fs/cg[^r]*/** wklx,
+ deny /sys/firmware/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+
+{{if ge .Version 208095}}
+ # suppress ptrace denials when using using 'ps' inside a container
+ ptrace (trace,read) peer={{.Name}},
+{{end}}
+}
+`
diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go
new file mode 100644
index 000000000..6e8b7f312
--- /dev/null
+++ b/pkg/apparmor/apparmor_linux.go
@@ -0,0 +1,110 @@
+// +build linux,apparmor
+
+package apparmor
+
+import (
+ "bufio"
+ "io"
+ "io/ioutil"
+ "os"
+ "path"
+ "strings"
+ "text/template"
+)
+
+// profileData holds information about the given profile for generation.
+type profileData struct {
+ // Name is profile name.
+ Name string
+ // Imports defines the apparmor functions to import, before defining the profile.
+ Imports []string
+ // InnerImports defines the apparmor functions to import in the profile.
+ InnerImports []string
+ // Version is the {major, minor, patch} version of apparmor_parser as a single number.
+ Version int
+}
+
+// generateDefault creates an apparmor profile from ProfileData.
+func (p *profileData) generateDefault(out io.Writer) error {
+ compiled, err := template.New("apparmor_profile").Parse(libpodProfileTemplate)
+ if err != nil {
+ return err
+ }
+
+ if macroExists("tunables/global") {
+ p.Imports = append(p.Imports, "#include <tunables/global>")
+ } else {
+ p.Imports = append(p.Imports, "@{PROC}=/proc/")
+ }
+
+ if macroExists("abstractions/base") {
+ p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
+ }
+
+ ver, err := getVersion()
+ if err != nil {
+ return err
+ }
+ p.Version = ver
+
+ return compiled.Execute(out, p)
+}
+
+// macrosExists checks if the passed macro exists.
+func macroExists(m string) bool {
+ _, err := os.Stat(path.Join(profileDirectory, m))
+ return err == nil
+}
+
+// InstallDefault generates a default profile in a temp directory determined by
+// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
+func InstallDefault(name string) error {
+ p := profileData{
+ Name: name,
+ }
+
+ // Install to a temporary directory.
+ f, err := ioutil.TempFile("", name)
+ if err != nil {
+ return err
+ }
+ profilePath := f.Name()
+
+ defer f.Close()
+ defer os.Remove(profilePath)
+
+ if err := p.generateDefault(f); err != nil {
+ return err
+ }
+
+ return loadProfile(profilePath)
+}
+
+// IsLoaded checks if a profile with the given name has been loaded into the
+// kernel.
+func IsLoaded(name string) (bool, error) {
+ file, err := os.Open("/sys/kernel/security/apparmor/profiles")
+ if err != nil {
+ if os.IsNotExist(err) {
+ return false, nil
+ }
+ return false, err
+ }
+ defer file.Close()
+
+ r := bufio.NewReader(file)
+ for {
+ p, err := r.ReadString('\n')
+ if err == io.EOF {
+ break
+ }
+ if err != nil {
+ return false, err
+ }
+ if strings.HasPrefix(p, name+" ") {
+ return true, nil
+ }
+ }
+
+ return false, nil
+}
diff --git a/pkg/apparmor/apparmor_unsupported.go b/pkg/apparmor/apparmor_unsupported.go
new file mode 100644
index 000000000..0f1ab9464
--- /dev/null
+++ b/pkg/apparmor/apparmor_unsupported.go
@@ -0,0 +1,15 @@
+// +build !linux !apparmor
+
+package apparmor
+
+// InstallDefault generates a default profile in a temp directory determined by
+// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
+func InstallDefault(name string) error {
+ return ErrApparmorUnsupported
+}
+
+// IsLoaded checks if a profile with the given name has been loaded into the
+// kernel.
+func IsLoaded(name string) (bool, error) {
+ return false, ErrApparmorUnsupported
+}