lxd icon indicating copy to clipboard operation
lxd copied to clipboard

Published 20 hours ago verified publisher icon canonical

AppArmor: allow more read-only bind remounts

Open enr0n opened this issue 1 year ago • 6 comments

There is already a set of rules to allow mounts with

options=(ro,remount,bind,nosuid,noexec,nodev).

Expand on this slightly by also allowing mounts with

options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow).

Without this change, systemd hits an AppArmor denial when attempting to setup credentials for a service[1].

[1] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2046486

Note: The version of apparmor_parser in the core22 snap does not understand the nosymfollow mount option. E.g., if I try to expand the policy manually:

$ lxc config set systemd-lxc raw.apparmor "mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/shm,"
Error: Parse AppArmor profile: Failed to run: apparmor_parser -QWL /var/snap/lxd/common/lxd/security/apparmor/cache /var/snap/lxd/common/lxd/security/apparmor/profiles/lxd-systemd-lxc: exit status 1 (unsupported mount options)

So I guess this couldn't actually be included until the lxd snap is based on core24?

enr0n avatar Jan 04 '24 19:01 enr0n

@enr0n I am working on updating the LXD snap to use core24 now actually, although we wont be able to merge this until core24 is out of edge.

tomponline avatar Jan 05 '24 09:01 tomponline

@enr0n @mihalicyn this also looks like its going to play havoc with our tests which are based on ubuntu 22.04. I wonder if there is a way to use a newer apparmor parser in 22.04.

tomponline avatar Jan 05 '24 09:01 tomponline

@enr0n is there any value in landing an earlier version of this without the nosymfollow option before we switch to core24?

tomponline avatar Jan 17 '24 10:01 tomponline

@enr0n is there any value in landing an earlier version of this without the nosymfollow option before we switch to core24?

No, there is already a rule for this set of options minus nosymfollow.

enr0n avatar Jan 17 '24 14:01 enr0n

Gentle ping. There are more services in systemd utilizing credentials (namely systemd-networkd and systemd-journald) in v256, so this issue will become more apparent.

enr0n avatar May 10 '24 19:05 enr0n

Indeed. We need to switch to core24 for this to work, we have this on our items for this cycle.

tomponline avatar May 10 '24 20:05 tomponline

It is interesting. If apparmor_parser doesn't know anything about nosymfollow why kernel still applies policies on this? It would make more sense to allow everything which is not supported by the apparmor_parser by default. It makes things not to break for older user space version.

So, if user updates apparmor_parser version to that which supports nosymfollow then we can apply this policy to profiles generated by this version of apparmor_parser. But if user uses old versions of apparmor_parser with a recent kernel (which supports nosymfollow) there is no reason to forbid it.

Kernel updates must be fully compatible with old user space versions. Always.

mihalicyn avatar Jun 14 '24 12:06 mihalicyn

This https://github.com/canonical/lxd-pkg-snap/pull/477 unblocks this PR. But we need to properly check AppArmor version from the LXD side.

mihalicyn avatar Jun 21 '24 12:06 mihalicyn

Slightly reworked version https://github.com/canonical/lxd/pull/13681

mihalicyn avatar Jun 28 '24 12:06 mihalicyn

@enr0n hi please can you review https://github.com/canonical/lxd/pull/13681 and let us know a use case for testing the fix works. Thanks

tomponline avatar Jul 01 '24 07:07 tomponline

See https://github.com/canonical/lxd/pull/13681#issuecomment-2214495022 for reproducer steps

tomponline avatar Jul 12 '24 10:07 tomponline