-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Start unprivileged container without root with an apparmor profile #4358
Comments
Hi @raldone01 Sorry for long delay with reply.
You need to have So, no, you can't manage apparmor from an unprivileged user. As far as I remember there is a feature (apparmor stacking) that allows you to create a stacked profiles inside the user namespace. But it is another story anyways. If you are unprivileged, there is not so much sense to user AppArmor at all. Why do you want to do that? |
It has been a while. I don't remember the exact reasons but I think I was under the impression that apparmor confinement was necessary for safe operation. So using an unprivileged user with USER_NS was less safe than using a privileged user with apparmor confinement. Lets say I host a webserver in a LXC container and an attacker gains RCE on it.
No vulnerable mounts/reachable services exist... |
I don't think so. unprivileged user + user namespace is a very-very safe thing. And this is an upstream Linux kernel default option, so all the vulnerability researchers are paying attention to this configuration all the time. That's why this combo has so big history of CVEs. But that's a sign of a big attention to it! It does not mean that this is an ugly combo from a security standpoint. If we speak about AppArmor, I makes sense to say that AppArmor is just a specific LSM module for Linux kernel. Not so many eyes looking at it and not so many researchers as a consequence. It's a classical https://en.wikipedia.org/wiki/Survivorship_bias ;-)
You mean "privileged container" right? Privileged container means that container is not using user namespace at all.
Yep, it means that root inside the container, is just a regular user on the host. All the security tricks in this case comes
hm, yep, there is a confusion about naming. Let's try to sort this out:
Once you create a user namespace, then you lose all the capabilities in the initial user namespace. For example:
or
There is no difference from the capabilities perspective at all! The only difference would be that in first case uid 0 inside the user namespace will be uid 0 outside. In 2nd case uid 0 inside the user namespace will be uid 1000 (if a user "user" has uid 1000). But from the permissions perspective there is no difference at all! Because uid 0 does not mean that you have a power of root. Power of root is about having capabilities, not UID! Let's get back to your list of options A, B, C and ordering. I can't say anything about C because it's not clear what it means. I'm pretty sure that Stéphane has something to add :-) |
My terminology was not clear. I wasn't talking about privileged containers at all. Let me try again: Lets say I host a webserver in a LXC container and an attacker gains RCE on it.
No vulnerable mounts/reachable services exist... With [C] I meant to use subui/subgids with the root user and launching containers with it. I think for my use case option [B] is best then. Maybe a short sentence in the docs would be nice mentioning that More information is always appreciated. |
Thanks for the clarification - fwiw, [a] is imo not safe. [c] certainly is possible. There is also [D]: Container launched by un unpriv user and confined. That is, of course, the safest. |
So to achieve [D] I would have to give the unprivileged user the Edit and a bit off topic I guess: |
Sorry I probably shouldn't have jumped in. Yes, to load newly generated or ad-hoc policies requires CAP_MAC_ADMIN, and you do not want to give that to users. What you can do is load custom policies for them in advance. Then the users can start containers using those policies at any time. This is generally the norm: unprivileged containers are not actually un-confined, but are confined by a rather general policy. |
Thanks. I learned a few things. So if I go back to my original issue:
How would I start a container with this general profile?
Simply omitting
|
Required information
❯ lxc-start --version 5.0.3 ❯ uname -a Linux argon 6.5.6-arch2-1 #1 SMP PREEMPT_DYNAMIC Sat, 07 Oct 2023 08:14:55 +0000 x86_64 GNU/Linux ❯ cat /proc/self/cgroup 0::/user.slice/user-1000.slice/session-3.scope
Issue description
Running an unprivileged user with app armor confinement fails.
Is it possible to run an unprivileged container with confinement?
The text was updated successfully, but these errors were encountered: