apparmor: Add profiles

config/Makefile.am

-SUBDIRS = etc init templates
+SUBDIRS = apparmor etc init templates

config/apparmor/Makefile.am

+EXTRA_DIST = \
+	abstractions/container-base \
+	abstractions/start-container \
+	profiles/lxc-default \
+	profiles/lxc-default-with-mounting \
+	profiles/lxc-default-with-nesting \
+	lxc-containers \
+	usr.bin.lxc-start
+
+if ENABLE_APPARMOR
+install-apparmor:
+	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/
+	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
+	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
+	$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
+	$(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
+	$(INSTALL_DATA) usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/
+
+uninstall-apparmor:
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.bin.lxc-start
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base
+	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ || :
+	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ || :
+	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/ || :
+
+install-data-local: install-apparmor
+uninstall-local: uninstall-apparmor
+endif

config/apparmor/abstractions/container-base

+  network,
+  capability,
+  file,
+  umount,
+  dbus,
+
+  # ignore DENIED message on / remount
+  deny mount options=(ro, remount) -> /,
+
+  # allow tmpfs mounts everywhere
+  mount fstype=tmpfs,
+
+  # allow mqueue mounts everywhere
+  mount fstype=mqueue,
+
+  # allow fuse mounts everywhere
+  mount fstype=fuse.*,
+
+  # allow bind mount of /lib/init/fstab for lxcguest
+  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+
+  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+  deny @{PROC}/sys/fs/** wklx,
+
+  # allow efivars to be mounted, writing to it will be blocked though
+  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+  # block some other dangerous paths
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+  deny @{PROC}/sys/kernel/*/** wklx,
+
+  # deny writes in /sys except for /sys/fs/cgroup, also allow
+  # fusectl, securityfs and debugfs to be mounted there (read-only)
+  mount fstype=fusectl -> /sys/fs/fuse/connections/,
+  mount fstype=securityfs -> /sys/kernel/security/,
+  mount fstype=debugfs -> /sys/kernel/debug/,
+  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+  mount fstype=proc -> /proc/,
+  mount fstype=sysfs -> /sys/,
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,

config/apparmor/abstractions/start-container

+  network,
+  capability,
+  file,
+  dbus,
+
+  # currently blocked by apparmor bug
+  mount -> /usr/lib/*/lxc/{**,},
+  mount -> /usr/lib/lxc/{**,},
+  mount fstype=devpts -> /dev/pts/,
+  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+  mount fstype=debugfs,
+  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
+  mount -> /var/lib/lxc/{**,},
+
+  # required for some pre-mount hooks (like the new lxc-start-ephemeral)
+  mount fstype=overlayfs,
+  mount fstype=aufs,
+  mount fstype=ecryptfs,
+
+  # all umounts are under the original root's /mnt, but right now we
+  # can't allow those umounts after pivot_root.  So allow all umounts
+  # right now.  They'll be restricted for the container at least.
+  umount,
+  #umount /mnt/{**,},
+
+  pivot_root /usr/lib/*/lxc/,
+  pivot_root /usr/lib/lxc/root/,
+
+  change_profile -> lxc-*,
+  change_profile -> unconfined,

config/apparmor/lxc-containers

+# This file exists only to ensure that all per-container policies
+# listed under /etc/apparmor.d/lxc get loaded at boot.  Please do
+# not edit this file.
+
+#include <tunables/global>
+
+#include <lxc>

config/apparmor/profiles/lxc-default

+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+
+  # the container may never be allowed to mount devpts.  If it does, it
+  # will remount the host's devpts.  We could allow it to do it with
+  # the newinstance option (but, right now, we don't).
+  deny mount fstype=devpts,
+}

config/apparmor/profiles/lxc-default-debootstrap

+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-builder flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+
+  # pbuilder
+  mount options=(rw,bind) -> /var/cache/pbuilder/**,
+  mount fstype=devpts -> /var/cache/pbuilder/**,
+  mount fstype=proc -> /var/cache/pbuilder/**,
+  mount fstype=sysfs -> /var/cache/pbuilder/**,
+
+  # sbuild
+  mount options=(rw,bind) -> /var/lib/schroot/**,
+  mount fstype=devpts -> /var/lib/schroot/**,
+  mount fstype=proc -> /var/lib/schroot/**,
+  mount fstype=sysfs -> /var/lib/schroot/**,
+}

config/apparmor/profiles/lxc-default-with-mounting

+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+
+# allow standard blockdevtypes.
+# The concern here is in-kernel superblock parsers bringing down the
+# host with bad data.  However, we continue to disallow proc, sys, securityfs,
+# etc to nonstandard locations.
+  mount fstype=ext*,
+  mount fstype=xfs,
+  mount fstype=btrfs,
+}

config/apparmor/profiles/lxc-default-with-nesting

+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+  #include <abstractions/lxc/start-container>
+
+  mount fstype=cgroup -> /sys/fs/cgroup/**,
+
+  mount fstype=proc -> /var/cache/lxc/**,
+  mount fstype=sysfs -> /var/cache/lxc/**,
+  mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> /var/cache/lxc/**/run/shm/,
+}

config/apparmor/usr.bin.lxc-start

+#include <tunables/global>
+
+/usr/bin/lxc-start flags=(attach_disconnected) {
+  #include <abstractions/lxc/start-container>
+}

configure.ac

@@ -547,6 +547,7 @@ AC_CONFIG_FILES([
 	lxc.spec
 
 	config/Makefile
+	config/apparmor/Makefile
 	config/init/Makefile
 	config/init/sysvinit/Makefile
 	config/init/systemd/Makefile