Commit graph

28 commits

Author SHA1 Message Date
Phil Sphicas
66f14e4ae9 Fix AppArmor profile docker-default /proc/sys rule
The current docker-default AppArmor profile intends to block write
access to everything in `/proc`, except for `/proc/<pid>` and
`/proc/sys/kernel/shm*`.

Currently the rules block access to everything in `/proc/sys`, and do
not successfully allow access to `/proc/sys/kernel/shm*`. Specifically,
a path like /proc/sys/kernel/shmmax matches this part of the pattern:

    deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]*     }/** w,
         /proc  / s     y     s     /     kernel /shmmax

This patch updates the rule so that it works as intended.

Closes #39791

Signed-off-by: Phil Sphicas <phil.sphicas@att.com>
2022-06-30 21:12:58 +02:00
Eng Zer Jun
c55a4ac779
refactor: move from io/ioutil to io and os package
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-08-27 14:56:57 +08:00
Sebastiaan van Stijn
686be57d0a
Update to Go 1.17.0, and gofmt with Go 1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-24 23:33:27 +02:00
Aleksa Sarai
725eced4e0
apparmor: permit signals from unconfined programs
Otherwise if you try to kill a container process from the host directly,
you get EACCES. Also add a comment to make sure that the profile code
(which has been replicated by several projects) doesn't get out of sync.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-08-11 18:18:58 +10:00
Goldwyn Rodrigues
b36455258f apparmor: allow readby and tracedby
Fixes audit errors such as:

type=AVC msg=audit(1550236803.810:143):
apparmor="DENIED" operation="ptrace" profile="docker-default"
pid=3181 comm="ps" requested_mask="readby" denied_mask="readby"
peer="docker-default"

audit(1550236375.918:3): apparmor="DENIED" operation="ptrace"
profile="docker-default" pid=2267 comm="ps"
requested_mask="tracedby" denied_mask="tracedby"
peer="docker-default"

Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
2019-04-22 09:11:50 -05:00
Aleksa Sarai
4822fb1e24
apparmor: allow receiving of signals from 'docker kill'
In newer kernels, AppArmor will reject attempts to send signals to a
container because the signal originated from outside of that AppArmor
profile. Correct this by allowing all unconfined signals to be received.

Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-09-13 02:06:56 +10:00
Daniel Nephin
4f0d95fa6e Add canonical import comment
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:51:57 -05:00
Tycho Andersen
b4a6ccbc5f drop useless apparmor denies
These files don't exist under proc so this rule does nothing.

They are protected against by docker's default cgroup devices since they're
both character devices and not explicitly allowed.

Signed-off-by: Tycho Andersen <tycho@docker.com>
2017-10-06 09:11:59 -06:00
Vincent Demeester
9ef3b53597
Move pkg/templates away
- Remove unused function and variables from the package
- Remove usage of it from `profiles/apparmor` where it wasn't required
- Move the package to `daemon/logger/templates` where it's only used

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-08-08 18:16:41 +02:00
Sebastiaan van Stijn
b9ee31ae02 Merge pull request #29314 from vdemeester/no-more-utils
Remove the utils package
2016-12-22 15:21:05 +01:00
Xianglin Gao
da5d3cccc4 Get rid of err altogether by just returning the assignment
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-13 14:25:57 +08:00
Victor Vieux
96a84ed85a Merge pull request #29130 from cyphar/29097-dynamically-reload-apparmor
daemon: switch to 'ensure' workflow for AppArmor profiles
2016-12-12 13:32:36 -08:00
Vincent Demeester
04f7a03359
Move templates to pkg/templates
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-12-12 09:34:03 +01:00
Aleksa Sarai
e440a57a79
apparmor: switch IsLoaded to return bool
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-12-06 00:10:08 +11:00
Xianglin Gao
2ab8f2e389 fix apparmor load profile
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-11-29 15:48:38 +08:00
allencloud
3dca62cfb1 remove redundant file Close
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-11-18 17:50:02 +08:00
Christopher Jones
1a702111c6
Fix apparmor profile installation
Fixes #26823

Fixes an issue where apparmor was not loaded into the kernel, because
apparmor_parser was being called incorrectly.

Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
2016-09-29 18:47:20 -05:00
Akihiro Suda
693b4ac67a apparmor: prohibit /sys/firmware/** from being accessed
Some firmware information including SMBIOS and ACPI tables were unexpectedly exposed

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-09-16 02:21:31 +00:00
Aleksa Sarai
2f7596aaef
apparmor: do not save profile to /etc/apparmor.d
Writing the profile to /etc/apparmor.d, while also manually loading it
into the kernel results in quite a bit of confusion. In addition, it
means that people using apparmor but have /etc mounted read-only cannot
use apparmor at all on a Docker host.

Fix this by writing the profile to a temporary directory and deleting it
after it's been inserted.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-09-13 16:25:16 +10:00
allencloud
0ead624473 add defer file.Close to avoid potential fd leak
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-08-10 08:36:09 +08:00
Aleksa Sarai
d274456f3e profiles: apparmor: actually calculate version
In order to check that we can have the `ptrace` rule, we need to
actually calculate the version of apparmor_parser.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-20 19:03:19 +11:00
Aleksa Sarai
64fb664908 profiles: apparmor: remove unused fields
ExecPath isn't used by anything, and the signal apparmor rule isn't used
because it refers to a peer that we don't ship.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-20 19:01:49 +11:00
Alexander Morozov
943ae26bc0 Merge pull request #20958 from calavera/basic_function_templates
Provide basic string manipulation functions for template executions.
2016-03-10 08:08:32 -08:00
allencloud
34b82a69b9 fix some typos.
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-03-10 10:09:27 +08:00
David Calavera
8514880997 Provide basic string manupilation functions for template executions.
This change centralizes the template manipulation in a single package
and adds basic string functions to their execution.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-09 19:37:12 -05:00
Aleksa Sarai
284d9d451e apparmor: use correct version for ptrace denial suppression
Ubuntu ships apparmor_parser 2.9 erroniously as "2.8.95". Fix the
incorrect version check for >=2.8, when in fact 2.8 deosn't support the
required feature.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-15 20:36:29 +11:00
Aleksa Sarai
4bf7a84c96 apparmor: fix version checks to work properly
Using {{if major}}{{if minor}} doesn't work as expected when the major
version changes. In addition, this didn't support patch levels (which is
necessary in some cases when distributions ship apparmor weirdly).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-15 20:36:07 +11:00
Jessica Frazelle
35e50119fc
move default apparmor policy into package
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-21 16:55:27 -08:00