From fe928c6b429ff25b9cc14bcf45db976db223ee34 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Thu, 23 May 2019 13:12:56 +0200 Subject: apparmor: don't load/set profile in privileged mode Commit 27f9e23a0b9e already prevents setting the profile when creating the spec but we also need to avoid loading and setting the profile when creating the container. Fixes: #3112 Signed-off-by: Valentin Rothberg --- libpod/container_internal_linux.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c5e404155..f25f76092 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -25,7 +25,7 @@ import ( "github.com/containers/libpod/pkg/lookup" "github.com/containers/libpod/pkg/resolvconf" "github.com/containers/libpod/pkg/rootless" - "github.com/cyphar/filepath-securejoin" + securejoin "github.com/cyphar/filepath-securejoin" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } // Apply AppArmor checks and load the default profile if needed. - updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) - if err != nil { - return nil, err + if !c.config.Privileged { + updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile) + if err != nil { + return nil, err + } + g.SetProcessApparmorProfile(updatedProfile) } - g.SetProcessApparmorProfile(updatedProfile) if err := c.makeBindMounts(); err != nil { return nil, err -- cgit v1.2.3-54-g00ecf From bcbf5c48940e543b39385bc1e137ca7b5d5ad9dd Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Thu, 23 May 2019 13:24:51 +0200 Subject: baseline tests: apparmor with --privileged https://github.com/containers/libpod/issues/3112 has revealed a regression in apparmor when running privileged containers where the profile must not be set or loaded. Add a simple test to avoid potential future regressions. Signed-off-by: Valentin Rothberg --- test/test_podman_baseline.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/test_podman_baseline.sh b/test/test_podman_baseline.sh index 5c24229bb..92bc8e20c 100755 --- a/test/test_podman_baseline.sh +++ b/test/test_podman_baseline.sh @@ -504,6 +504,16 @@ EOF echo "failed" fi + #Expected to pass (as root with --privileged). + #Note that the profile should not be loaded letting the mount succeed. + podman run --privileged docker.io/library/alpine:latest sh -c "mkdir tmp2; mount --bind tmp tmp2" + rc=$? + echo -n "root with specified AppArmor profile but --privileged: " + if [ $rc == 0 ]; then + echo "passed" + else + echo "failed" + fi #Expected to fail (as rootless) sudo -u "#1000" podman run --security-opt apparmor=$aaProfile docker.io/library/alpine:latest echo hello rc=$? -- cgit v1.2.3-54-g00ecf From 1910118de988c8698a2d6a6eaf666dc958e454fe Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Fri, 24 May 2019 15:37:42 +0200 Subject: warn when --security-opt and --privileged Log a warning when --security-opt and --privileged are used together to indicate that it has no effect since --privileged will set everything. To avoid regressions, only warn, do not error out and do not print on error level. Signed-off-by: Valentin Rothberg --- cmd/podman/create.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cmd/podman/create.go b/cmd/podman/create.go index cb3ba14c5..2351f5860 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -7,6 +7,7 @@ import ( "github.com/containers/libpod/pkg/adapter" "github.com/opentracing/opentracing-go" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) @@ -72,6 +73,10 @@ func createInit(c *cliconfig.PodmanCommand) error { defer span.Finish() } + if c.IsSet("privileged") && c.IsSet("security-opt") { + logrus.Warn("setting security options with --privileged has no effect") + } + // Docker-compatibility: the "-h" flag for run/create is reserved for // the hostname (see https://github.com/containers/libpod/issues/1367). -- cgit v1.2.3-54-g00ecf