podman/libpod: add default AppArmor profile

Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile.  Large chunks of libpod/apparmor
come from github.com/moby/moby.

Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.

The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.

Signed-off-by: Valentin Rothberg <vrothberg@suse.com>

Closes: #1063
Approved by: rhatdan

Dockerfile

@@ -115,3 +115,7 @@ COPY test/policy.json /etc/containers/policy.json
 COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redhat.com.yaml
 
 WORKDIR /go/src/github.com/projectatomic/libpod
+
+# Wrap all commands in the "docker-in-docker" script to allow nested containers,
+# and allow testing of apparmor.
+ENTRYPOINT ["./hack/dind"]

Dockerfile.CentOS

@@ -80,3 +80,7 @@ COPY test/policy.json /etc/containers/policy.json
 COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redhat.com.yaml
 
 WORKDIR /go/src/github.com/projectatomic/libpod
+
+# Wrap all commands in the "docker-in-docker" script to allow nested containers,
+# and allow testing of apparmor.
+ENTRYPOINT ["./hack/dind"]

Dockerfile.Fedora

@@ -83,4 +83,9 @@ COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redh
 
 # Install varlink stuff
 RUN pip3 install varlink
+
 WORKDIR /go/src/github.com/projectatomic/libpod
+
+# Wrap all commands in the "docker-in-docker" script to allow nested containers,
+# and allow testing of apparmor.
+ENTRYPOINT ["./hack/dind"]

Makefile

@@ -17,7 +17,7 @@ ETCDIR ?= ${DESTDIR}/etc
 ETCDIR_LIBPOD ?= ${ETCDIR}/crio
 TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d
 SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system
-BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh) varlink
+BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh) $(shell hack/apparmor_tag.sh) varlink
 BUILDTAGS_CROSS ?= containers_image_openpgp containers_image_ostree_stub exclude_graphdriver_btrfs exclude_graphdriver_devicemapper exclude_graphdriver_overlay
 ifneq (,$(findstring varlink,$(BUILDTAGS)))
 	PODMAN_VARLINK_DEPENDENCIES = cmd/podman/varlink/ioprojectatomicpodman.go
@@ -38,6 +38,8 @@ BUILD_INFO ?= $(shell date +%s)
 LDFLAGS_PODMAN ?= $(LDFLAGS) -X main.gitCommit=$(GIT_COMMIT) -X main.buildInfo=$(BUILD_INFO)
 ISODATE ?= $(shell date --iso-8601)
 LIBSECCOMP_COMMIT := release-2.3
+# Wrapper to setup mounts required by AppArmor
+ENTRYPOINT := ./hack/dind
 
 # If GOPATH not specified, use one in the local directory
 ifeq ($(GOPATH),)
@@ -137,13 +139,13 @@ libpodimage:
 	docker build -t ${LIBPOD_IMAGE} .
 
 dbuild: libpodimage
-	docker run --name=${LIBPOD_INSTANCE} --privileged ${LIBPOD_IMAGE} -v ${PWD}:/go/src/${PROJECT} --rm make binaries
+	docker run --name=${LIBPOD_INSTANCE} --privileged ${LIBPOD_IMAGE} -v ${PWD}:/go/src/${PROJECT} --rm ${ENTRYPOINT} make binaries
 
 test: libpodimage
-	docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} make clean all localunit localintegration
+	docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} ${ENTRYPOINT} make clean all localunit localintegration
 
 integration: libpodimage
-	docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} make clean all localintegration
+	docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} ${ENTRYPOINT} make clean all localintegration
 
 integration.fedora:
 	DIST=Fedora sh .papr_prepare.sh
@@ -152,10 +154,10 @@ integration.centos:
 	DIST=CentOS sh .papr_prepare.sh
 
 shell: libpodimage
-	docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -it --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} sh
+	docker run --tmpfs -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -it --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} ${ENTRYPOINT} sh
 
 testunit: libpodimage
-	docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} make localunit
+	docker run -e STORAGE_OPTIONS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${LIBPOD_IMAGE} ${ENTRYPOINT} make localunit
 
 localunit: varlink_generate
 	$(GO) test -tags "$(BUILDTAGS)" -cover $(PACKAGES)

cmd/podman/create.go

@@ -19,9 +19,11 @@ import (
 	"github.com/projectatomic/libpod/libpod"
 	"github.com/projectatomic/libpod/libpod/image"
 	ann "github.com/projectatomic/libpod/pkg/annotations"
+	"github.com/projectatomic/libpod/pkg/apparmor"
 	"github.com/projectatomic/libpod/pkg/inspect"
 	cc "github.com/projectatomic/libpod/pkg/spec"
 	"github.com/projectatomic/libpod/pkg/util"
+	libpodVersion "github.com/projectatomic/libpod/version"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )
@@ -194,6 +196,56 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
 		}
 	}
 
+	if config.ApparmorProfile == "" {
+		// Unless specified otherwise, make sure that the default AppArmor
+		// profile is installed.  To avoid redundantly loading the profile
+		// on each invocation, check if it's loaded before installing it.
+		// Suffix the profile with the current libpod version to allow
+		// loading the new, potentially updated profile after an update.
+		profile := fmt.Sprintf("%s-%s", apparmor.DefaultLibpodProfile, libpodVersion.Version)
+
+		loadProfile := func() error {
+			isLoaded, err := apparmor.IsLoaded(profile)
+			if err != nil {
+				return err
+			}
+			if !isLoaded {
+				err = apparmor.InstallDefault(profile)
+				if err != nil {
+					return err
+				}
+
+			}
+			return nil
+		}
+
+		if err := loadProfile(); err != nil {
+			switch err {
+			case apparmor.ErrApparmorUnsupported:
+				// do not set the profile when AppArmor isn't supported
+				logrus.Debugf("AppArmor is not supported: setting empty profile")
+			default:
+				return err
+			}
+		} else {
+			logrus.Infof("Sucessfully loaded AppAmor profile '%s'", profile)
+			config.ApparmorProfile = profile
+		}
+	} else {
+		isLoaded, err := apparmor.IsLoaded(config.ApparmorProfile)
+		if err != nil {
+			switch err {
+			case apparmor.ErrApparmorUnsupported:
+				return fmt.Errorf("profile specified but AppArmor is not supported")
+			default:
+				return fmt.Errorf("error checking if AppArmor profile is loaded: %v", err)
+			}
+		}
+		if !isLoaded {
+			return fmt.Errorf("specified AppArmor profile '%s' is not loaded", config.ApparmorProfile)
+		}
+	}
+
 	if config.SeccompProfilePath == "" {
 		if _, err := os.Stat(libpod.SeccompOverridePath); err == nil {
 			config.SeccompProfilePath = libpod.SeccompOverridePath

hack/apparmor_tag.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+if pkg-config libapparmor 2> /dev/null ; then
+	# Travis CI does not support AppArmor, so we cannot run tests there.
+	if [ -z "$TRAVIS" ]; then
+		echo apparmor
+	fi
+fi

hack/dind

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -e
+
+# DinD: a wrapper script which allows docker to be run inside a docker container.
+# Original version by Jerome Petazzoni <jerome@docker.com>
+# See the blog post: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/
+#
+# This script should be executed inside a docker container in privileged mode
+# ('docker run --privileged', introduced in docker 0.6).
+
+# Usage: dind CMD [ARG...]
+
+# apparmor sucks and Docker needs to know that it's in a container (c) @tianon
+export container=docker
+
+if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
+	mount -t securityfs none /sys/kernel/security || {
+		echo >&2 'Could not mount /sys/kernel/security.'
+		echo >&2 'AppArmor detection and --privileged mode might break.'
+	}
+fi
+
+# Mount /tmp (conditionally)
+if ! mountpoint -q /tmp; then
+	mount -t tmpfs none /tmp
+fi
+
+if [ $# -gt 0 ]; then
+	exec "$@"
+fi
+
+echo >&2 'ERROR: No command specified.'
+echo >&2 'You probably want to run hack/make.sh, or maybe a shell?'

pkg/apparmor/aaparser.go

@@ -0,0 +1,90 @@
+// +build linux,apparmor
+
+package apparmor
+
+import (
+	"fmt"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+const (
+	binary = "apparmor_parser"
+)
+
+// getVersion returns the major and minor version of apparmor_parser.
+func getVersion() (int, error) {
+	output, err := cmd("", "--version")
+	if err != nil {
+		return -1, err
+	}
+
+	return parseVersion(output)
+}
+
+// loadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to
+// replace the profile. The `-K` is necessary to make sure that apparmor_parser
+// doesn't try to write to a read-only filesystem.
+func loadProfile(profilePath string) error {
+	_, err := cmd("", "-Kr", profilePath)
+	return err
+}
+
+// cmd runs `apparmor_parser` with the passed arguments.
+func cmd(dir string, arg ...string) (string, error) {
+	c := exec.Command(binary, arg...)
+	c.Dir = dir
+
+	output, err := c.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
+	}
+
+	return string(output), nil
+}
+
+// parseVersion takes the output from `apparmor_parser --version` and returns
+// a representation of the {major, minor, patch} version as a single number of
+// the form MMmmPPP {major, minor, patch}.
+func parseVersion(output string) (int, error) {
+	// output is in the form of the following:
+	// AppArmor parser version 2.9.1
+	// Copyright (C) 1999-2008 Novell Inc.
+	// Copyright 2009-2012 Canonical Ltd.
+
+	lines := strings.SplitN(output, "\n", 2)
+	words := strings.Split(lines[0], " ")
+	version := words[len(words)-1]
+
+	// split by major minor version
+	v := strings.Split(version, ".")
+	if len(v) == 0 || len(v) > 3 {
+		return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
+	}
+
+	// Default the versions to 0.
+	var majorVersion, minorVersion, patchLevel int
+
+	majorVersion, err := strconv.Atoi(v[0])
+	if err != nil {
+		return -1, err
+	}
+
+	if len(v) > 1 {
+		minorVersion, err = strconv.Atoi(v[1])
+		if err != nil {
+			return -1, err
+		}
+	}
+	if len(v) > 2 {
+		patchLevel, err = strconv.Atoi(v[2])
+		if err != nil {
+			return -1, err
+		}
+	}
+
+	// major*10^5 + minor*10^3 + patch*10^0
+	numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
+	return numericVersion, nil
+}

pkg/apparmor/aaparser_test.go

@@ -0,0 +1,75 @@
+// +build linux,apparmor
+
+package apparmor
+
+import (
+	"testing"
+)
+
+type versionExpected struct {
+	output  string
+	version int
+}
+
+func TestParseVersion(t *testing.T) {
+	versions := []versionExpected{
+		{
+			output: `AppArmor parser version 2.10
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 210000,
+		},
+		{
+			output: `AppArmor parser version 2.8
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 208000,
+		},
+		{
+			output: `AppArmor parser version 2.20
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 220000,
+		},
+		{
+			output: `AppArmor parser version 2.05
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 205000,
+		},
+		{
+			output: `AppArmor parser version 2.9.95
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 209095,
+		},
+		{
+			output: `AppArmor parser version 3.14.159
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 314159,
+		},
+	}
+
+	for _, v := range versions {
+		version, err := parseVersion(v.output)
+		if err != nil {
+			t.Fatalf("expected error to be nil for %#v, got: %v", v, err)
+		}
+		if version != v.version {
+			t.Fatalf("expected version to be %d, was %d, for: %#v\n", v.version, version, v)
+		}
+	}
+}

pkg/apparmor/apparmor.go

@@ -0,0 +1,54 @@
+package apparmor
+
+import (
+	"errors"
+)
+
+var (
+	// profileDirectory is the file store for apparmor profiles and macros.
+	profileDirectory = "/etc/apparmor.d"
+	// DefaultLibpodProfile is the name of default libpod AppArmor profile.
+	DefaultLibpodProfile = "libpod-default"
+	// ErrApparmorUnsupported indicates that AppArmor support is not supported.
+	ErrApparmorUnsupported = errors.New("AppArmor is not supported")
+)
+
+const libpodProfileTemplate = `
+{{range $value := .Imports}}
+{{$value}}
+{{end}}
+
+profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+{{range $value := .InnerImports}}
+  {{$value}}
+{{end}}
+
+  network,
+  capability,
+  file,
+  umount,
+
+  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
+  # deny write to files not in /proc/<number>/** or /proc/sys/**
+  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
+  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
+  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/kcore rwklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+
+{{if ge .Version 208095}}
+  # suppress ptrace denials when using using 'ps' inside a container
+  ptrace (trace,read) peer={{.Name}},
+{{end}}
+}
+`

pkg/apparmor/apparmor_linux.go

@@ -0,0 +1,110 @@
+// +build linux,apparmor
+
+package apparmor
+
+import (
+	"bufio"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"strings"
+	"text/template"
+)
+
+// profileData holds information about the given profile for generation.
+type profileData struct {
+	// Name is profile name.
+	Name string
+	// Imports defines the apparmor functions to import, before defining the profile.
+	Imports []string
+	// InnerImports defines the apparmor functions to import in the profile.
+	InnerImports []string
+	// Version is the {major, minor, patch} version of apparmor_parser as a single number.
+	Version int
+}
+
+// generateDefault creates an apparmor profile from ProfileData.
+func (p *profileData) generateDefault(out io.Writer) error {
+	compiled, err := template.New("apparmor_profile").Parse(libpodProfileTemplate)
+	if err != nil {
+		return err
+	}
+
+	if macroExists("tunables/global") {
+		p.Imports = append(p.Imports, "#include <tunables/global>")
+	} else {
+		p.Imports = append(p.Imports, "@{PROC}=/proc/")
+	}
+
+	if macroExists("abstractions/base") {
+		p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
+	}
+
+	ver, err := getVersion()
+	if err != nil {
+		return err
+	}
+	p.Version = ver
+
+	return compiled.Execute(out, p)
+}
+
+// macrosExists checks if the passed macro exists.
+func macroExists(m string) bool {
+	_, err := os.Stat(path.Join(profileDirectory, m))
+	return err == nil
+}
+
+// InstallDefault generates a default profile in a temp directory determined by
+// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
+func InstallDefault(name string) error {
+	p := profileData{
+		Name: name,
+	}
+
+	// Install to a temporary directory.
+	f, err := ioutil.TempFile("", name)
+	if err != nil {
+		return err
+	}
+	profilePath := f.Name()
+
+	defer f.Close()
+	defer os.Remove(profilePath)
+
+	if err := p.generateDefault(f); err != nil {
+		return err
+	}
+
+	return loadProfile(profilePath)
+}
+
+// IsLoaded checks if a profile with the given name has been loaded into the
+// kernel.
+func IsLoaded(name string) (bool, error) {
+	file, err := os.Open("/sys/kernel/security/apparmor/profiles")
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	defer file.Close()
+
+	r := bufio.NewReader(file)
+	for {
+		p, err := r.ReadString('\n')
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return false, err
+		}
+		if strings.HasPrefix(p, name+" ") {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}

pkg/apparmor/apparmor_unsupported.go

@@ -0,0 +1,15 @@
+// +build !linux !apparmor
+
+package apparmor
+
+// InstallDefault generates a default profile in a temp directory determined by
+// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
+func InstallDefault(name string) error {
+	return ErrApparmorUnsupported
+}
+
+// IsLoaded checks if a profile with the given name has been loaded into the
+// kernel.
+func IsLoaded(name string) (bool, error) {
+	return false, ErrApparmorUnsupported
+}