The first is using LXC through libvirt. I see that there's an Apparmor profile for usr.bin.lxc-start, but AFAIK libvirt does not use lxc-start. Also, libvirt does not load the "lxc-containers" profile (AFAIK).
This is proven by the fact that `cat /sys/kernel/security/apparmor/profiles` does not fail when done from within my LXC+libvirt guest.
Also, reading /etc/apparmor.d/abstractions/lxc/container-base I see that there are many deny rules, but you are missing at least two: /sys/kernel/uevent_helper and /sys/class/mem/null/uevent. See http://blog.bofh.it/debian/id_413 for a way for escaping using these two files.
Finally, while there are rules that deny read and writes to /sys, but there are no rules that deny me to e.g. `mount -t sysfs sysfs /tmp/sys` or bind-mount /sys to an another location. (I'm not sure about this point because, you know, I'm using libvirt and I cannot test.)
Hi Stéphane,
I can see at least three ways of escaping.
The first is using LXC through libvirt. I see that there's an Apparmor profile for usr.bin.lxc-start, but AFAIK libvirt does not use lxc-start. Also, libvirt does not load the "lxc-containers" profile (AFAIK).
This is proven by the fact that `cat /sys/kernel/ security/ apparmor/ profiles` does not fail when done from within my LXC+libvirt guest.
Also, reading /etc/apparmor. d/abstractions/ lxc/container- base I see that there are many deny rules, but you are missing at least two: /sys/kernel/ uevent_ helper and /sys/class/ mem/null/ uevent. See http:// blog.bofh. it/debian/ id_413 for a way for escaping using these two files.
Finally, while there are rules that deny read and writes to /sys, but there are no rules that deny me to e.g. `mount -t sysfs sysfs /tmp/sys` or bind-mount /sys to an another location. (I'm not sure about this point because, you know, I'm using libvirt and I cannot test.)