Merge pull request #836 from hallyn/2016-02-21/cgns.aa

2016 02 21/cgns.aa

Merge pull request #836 from hallyn/2016-02-21/cgns.aa
7bf0dbae · Stéphane Graber · 82d97f87 · f58236fd · 7bf0dbae · 7bf0dbae
Commit 7bf0dbae authored Feb 22, 2016 by Stéphane Graber
8 changed files
--- a/config/apparmor/Makefile.am
+++ b/config/apparmor/Makefile.am
@@ -7,6 +7,7 @@ EXTRA_DIST = \
 	lxc-containers \
 	lxc-generate-aa-rules.py \
 	profiles/lxc-default \
+	profiles/lxc-default-cgns \
 	profiles/lxc-default-with-mounting \
 	profiles/lxc-default-with-nesting \
 	usr.bin.lxc-start
@@ -20,6 +21,7 @@ install-apparmor:
 	$(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
 	$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
 	$(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) profiles/lxc-default-cgns $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
@@ -30,6 +32,7 @@ uninstall-apparmor:
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-cgns
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base

--- a/config/apparmor/profiles/lxc-default-cgns
+++ b/config/apparmor/profiles/lxc-default-cgns
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+  # the container may never be allowed to mount devpts.  If it does, it
+  # will remount the host's devpts.  We could allow it to do it with
+  # the newinstance option (but, right now, we don't).
+  deny mount fstype=devpts,
+  mount fstype=cgroup -> /sys/fs/cgroup/**,
+}
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -5,12 +5,10 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>
-#  Uncomment the line below if you are not using cgmanager
-#  mount fstype=cgroup -> /sys/fs/cgroup/**,
  deny /dev/.lxc/proc/** rw,
  deny /dev/.lxc/sys/** rw,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
+  mount fstype=cgroup -> /sys/fs/cgroup/**,
 }
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1169,7 +1169,9 @@ proc proc proc nodev,noexec,nosuid 0 0
        If lxc was compiled and installed with apparmor support, and the host
        system has apparmor enabled, then the apparmor profile under which the
        container should be run can be specified in the container
-        configuration.  The default is <command>lxc-container-default</command>.
+        configuration.  The default is <command>lxc-container-default-cgns</command>
+	if the host kernel is cgroup namespace aware, or
+	<command>lxc-container-default</command> othewise.
      </para>
      <variablelist>
        <varlistentry>
@@ -1183,6 +1185,11 @@ proc proc proc nodev,noexec,nosuid 0 0
              use
            </para>
              <programlisting>lxc.aa_profile = unconfined</programlisting>
+            <para>
+              If the apparmor profile should remain unchanged (i.e. if you
+	      are nesting containers and are already confined), then use
+            </para>
+              <programlisting>lxc.aa_profile = unchanged</programlisting>
          </listitem>
        </varlistentry>
        <varlistentry>

--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -31,6 +31,7 @@
 #include "log.h"
 #include "lsm/lsm.h"
 #include "conf.h"
+#include "utils.h"
 lxc_log_define(lxc_apparmor, lxc);
@@ -40,6 +41,7 @@ static int aa_enabled = 0;
 static int mount_features_enabled = 0;
 #define AA_DEF_PROFILE "lxc-container-default"
+#define AA_DEF_PROFILE_CGNS "lxc-container-default-cgns"
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
 #define AA_UNCHANGED "unchanged"
@@ -202,8 +204,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 	free(curlabel);
 	if (!label) {
-		if (use_default)
+		if (use_default) {
-			label = AA_DEF_PROFILE;
+			if (cgns_supported())
+				label = AA_DEF_PROFILE_CGNS;
+			else
+				label = AA_DEF_PROFILE;
+		}
 		else
 			label = "unconfined";
 	}

--- a/src/tests/attach.c
+++ b/src/tests/attach.c
@@ -23,6 +23,7 @@
 #include "lxc/utils.h"
 #include "lxc/lsm/lsm.h"
+#include <sys/types.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <errno.h>
@@ -39,6 +40,13 @@
 static const char *lsm_config_key = NULL;
 static const char *lsm_label = NULL;
+bool file_exists(const char *f)
+{
+	struct stat statbuf;
+	return stat(f, &statbuf) == 0;
+}
 static void test_lsm_detect(void)
 {
 	if (lsm_enabled()) {
@@ -48,7 +56,10 @@ static void test_lsm_detect(void)
 		}
 		else if (!strcmp(lsm_name(), "AppArmor")) {
 			lsm_config_key = "lxc.aa_profile";
-			lsm_label      = "lxc-container-default";
+			if (file_exists("/proc/self/ns/cgroup"))
+				lsm_label      = "lxc-container-default-cgns";
+			else
+				lsm_label      = "lxc-container-default";
 		}
 		else {
 			TSTERR("unknown lsm %s enabled, add test code here", lsm_name());

--- a/src/tests/lxc-test-apparmor-mount
+++ b/src/tests/lxc-test-apparmor-mount
@@ -23,6 +23,12 @@
 set -e
+if [ -f /proc/self/ns/cgroup ]; then
+	default_profile="lxc-container-default-cgns (enforce)"
+else
+	default_profile="lxc-container-default (enforce)"
+fi
 FAIL() {
 	echo -n "Failed " >&2
 	echo "$*" >&2
@@ -144,7 +150,7 @@ run_cmd lxc-start -n $cname -d
 run_cmd lxc-wait -n $cname -s RUNNING
 pid=`run_cmd lxc-info -p -H -n $cname`
 profile=`cat /proc/$pid/attr/current`
-if [ "x$profile" != "xlxc-container-default (enforce)" ]; then
+if [ "x$profile" != "x${default_profile}" ]; then
 	echo "FAIL: confined container was in profile $profile"
 	exit 1
 fi
@@ -203,7 +209,7 @@ if [ "$pid" = "-1" ]; then
 	exit 1
 fi
 profile=`cat /proc/$pid/attr/current`
-if [ "x$profile" != "xlxc-container-default (enforce)" ]; then
+if [ "x$profile" != "x${default_profile}" ]; then
 	echo "FAIL: confined container was in profile $profile"
 	exit 1
 fi

--- a/src/tests/lxc-test-ubuntu
+++ b/src/tests/lxc-test-ubuntu
@@ -65,7 +65,9 @@ for template in ubuntu ubuntu-cloud; do
 	# Check apparmor
 	lxcpid=`lxc-info -n $name -p -H`
 	aa=`cat /proc/$lxcpid/attr/current`
-	if [ "$aa" != "lxc-container-default-with-nesting (enforce)" -a "$aa" != "lxc-container-default (enforce)" ]; then
+	if [ "$aa" != "lxc-container-default-with-nesting (enforce)" -a \
+			"$aa" != "lxc-container-default-cgns (enforce)" -a \
+			"$aa" != "lxc-container-default (enforce)" ]; then
 		FAIL " to correctly set apparmor profile (profile is \"$aa\")"
 	fi
 	lxc-stop -n $name -k