Commit graph

22 commits

Author SHA1 Message Date
Sebastiaan van Stijn
f445ee1e6c
contrib/apparmor: remove remaining version-conditionals (< 2.9) from template
Commit 2e19a4d56b removed all other version-
conditional statements from the AppArmor template, but left this one in place.

These conditions were added in 8cf89245f5
to account for old versions of debian/ubuntu (apparmor_parser < 2.9)
that lacked some options;

> This allows us to use the apparmor profile we have in contrib/apparmor/
> and solves the problems where certain functions are not apparent on older
> versions of apparmor_parser on debian/ubuntu.

Those patches were from 2015/2016, and all currently supported distro
versions should now have more current versions than that. Looking at the
oldest supported versions;

Ubuntu 18.04 "Bionic":

    apparmor_parser --version
    AppArmor parser version 2.12
    Copyright (C) 1999-2008 Novell Inc.
    Copyright 2009-2012 Canonical Ltd.

Debian 10 "Buster"

    apparmor_parser --version
    AppArmor parser version 2.13.2
    Copyright (C) 1999-2008 Novell Inc.
    Copyright 2009-2018 Canonical Ltd.

This patch removes the remaining conditionals.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-08 13:17:59 +02:00
Sebastiaan van Stijn
2e19a4d56b
contrib/apparmor: remove version-conditionals (< 2.9) from template
These conditions were added in 8cf89245f5
to account for old versions of debian/ubuntu (apparmor_parser < 2.9)
that lacked some options;

> This allows us to use the apparmor profile we have in contrib/apparmor/
> and solves the problems where certain functions are not apparent on older
> versions of apparmor_parser on debian/ubuntu.

Those patches were from 2015/2016, and all currently supported distro
versions should now have more current versions than that. Looking at the
oldest supported versions;

Ubuntu 18.04 "Bionic":

    apparmor_parser --version
    AppArmor parser version 2.12
    Copyright (C) 1999-2008 Novell Inc.
    Copyright 2009-2012 Canonical Ltd.

Debian 10 "Buster"

    apparmor_parser --version
    AppArmor parser version 2.13.2
    Copyright (C) 1999-2008 Novell Inc.
    Copyright 2009-2018 Canonical Ltd.

This patch removes the conditionals.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-08 18:05:02 +01:00
Sebastiaan van Stijn
404d87ec69
AppArmor: add missing rules for running in userns
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-30 16:17:13 +02:00
Sebastiaan van Stijn
e553a03627
AppArmor: remove rules for linkgraph.db SQLite database
Commit 0f9f99500c removed the
use of SQLite for managing container links, and commit
f8119bb7a7 removed the migration
tool, and SQLite dependency.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-26 17:19:21 +02:00
Aleksa Sarai
4bf7a84c96 apparmor: fix version checks to work properly
Using {{if major}}{{if minor}} doesn't work as expected when the major
version changes. In addition, this didn't support patch levels (which is
necessary in some cases when distributions ship apparmor weirdly).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-15 20:36:07 +11:00
Thomas Sjögren
602498d1b0 add /bin/tar to apparmor profile
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-12-23 18:11:16 +01:00
Tibor Vass
cd648dce3a Merge pull request #18242 from jfrazelle/i-have-no-idea
Remove ipc rule in docker-engine apparmor profile
2015-12-11 11:23:41 +01:00
Jessica Frazelle
f8db9a09e0
check version for docker-default aa profile
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-11-30 10:18:12 -08:00
Jessica Frazelle
68c9ebdf1f
Remove ipc rule in docker-engine apparmor profile
On a ubuntu 15.04 machine with apparmor_parser version 2.10 I get
```
Syntax Error: Unknown line found in file:
/etc/apparmor.d/docker-engine line: 26
```
when running `aa-complain /etc/apparmor.d/docker-engine`.

It's super weird because ipc is documented in the apparmor manual, but it
doesnt seem to be working at all. Tested on a few servers.

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-11-25 11:32:00 -08:00
Stefan Berger
6079d9d6a3
Policy extensions for user namespaces and docker exec
A few additions to the policy when running with user namespaces enabled
and when running 'docker exec'.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2015-11-23 15:19:45 -08:00
Stefan Berger
02411987ff More Rules for AppArmor
This patch addresses the following AppArmor complains:

type=AVC msg=audit(1445537397.873:547): apparmor="ALLOWED" operation="mount"
  info="failed srcname match" error=-13 profile="/usr/bin/docker"
  name="/.pivot_root602836504/" pid=11512 comm="exe" flags="rw, rprivate"

type=AVC msg=audit(1445537265.325:502): apparmor="ALLOWED"
  operation="file_lock" profile="/usr/bin/docker"
  name="/var/lib/docker/network/files/local-kv.db" pid=9574 comm="docker"
  requested_mask="k" denied_mask="k" fsuid=0 ouid=0

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2015-11-05 11:06:18 -05:00
Jessica Frazelle
8cf89245f5
change default docker-engine profile to a template based on apparmor_parser version
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-10-19 16:15:18 -07:00
Stefan Berger
f5be0821cf contrib: Adjustments to AppArmor docker engine policy for docker 1.9
This patch contains a few extensions for the AppArmor docker engine
policy for docker 1.9.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2015-10-08 10:08:53 -04:00
Stefan Berger
9dbc36b441 contrib: Extend engine apparmor profile for tools needed by devicemapper
Add tools to the apparmor profile that are needed when -s devicemapper is
in the docker daemon's command line.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
2015-07-30 06:45:57 -04:00
Eric Windisch
6c887be769 Mark engine AA policy as complain-only
The engine policy will now only complain
as a temporary measure to ensure we do not
cause breakages while users exercise this
policy.

This is NOT the policy for containers, but
for the newly-introduced policy for the
daemon itself.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-28 17:45:53 -04:00
Eric Windisch
8b2fcddcd2 AA: Eliminate 'file' permission
Implements the policies for the remaining binaries
called by the Docker engine and eliminates the
giant whitelisted 'all files' permission in favor
of granular whitelisting and child-specific policies.

It should be possible now to remove the 'file' permission,
but for the sake of keeping Docker unbroken, we'll try
to gradually tighten the policy.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-28 17:45:53 -04:00
Eric Windisch
3edc88f76d Restore AppArmor profile generation
Will attempt to load profiles automatically. If loading fails
but the profiles are already loaded, execution will continue.

A hard failure will only occur if Docker cannot load
the profiles *and* they have not already been loaded via
some other means.

Also introduces documentation for AppArmor.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-28 17:45:51 -04:00
David Calavera
94ab0d312f Revert "Introduce a dedicated unconfined AA policy"
This reverts commit 87376c3add.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-07-24 16:35:51 -07:00
David Calavera
ac9fc03c74 Merge pull request #14855 from ewindisch/apparmor-unconfined
Introduce a dedicated unconfined AA policy
2015-07-23 10:21:51 -07:00
Eric Windisch
39dae54a3f Add AppArmor policy for the engine
Wraps the engine itself with an AppArmor policy.

This restricts what may be done by applications
we call out to, such as 'xz'.

Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.

Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-22 14:20:50 -04:00
Eric Windisch
87376c3add Introduce a dedicated unconfined AA policy
By using the 'unconfined' policy for privileged
containers, we have inherited the host's apparmor
policies, which really make no sense in the
context of the container's filesystem.

For instance, policies written against
the paths of binaries such as '/usr/sbin/tcpdump'
can be easily circumvented by moving the binary
within the container filesystem.

Fixes GH#5490

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-22 11:28:32 -04:00
Eric Windisch
80d99236c1 Move AppArmor policy to contrib & deb packaging
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.

- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-21 11:05:53 -04:00