Allow rootless AppArmor #1572
Allow rootless AppArmor #1572
Conversation
This reverts commit d167b7f. Signed-off-by: Will Shand <wss2ec@g.ucla.edu>
Set the default AppArmor profile to unconfined; see the following issues: - containers#958 - containers/podman#15874 Based on the discussion there, distros that use AppArmor should supply their own AppArmor profile and set it in a default containers.conf, since there is no way to load AppArmor profiles rootlessly. Signed-off-by: Will Shand <wss2ec@g.ucla.edu>
|
As noted in containers/podman#15874, as it currently stands, all rootless containers currently run unconfined anyways, which limits the downstream security impacts of this change. Nonetheless, it would be nice if we could coordinate with Debian and OpenSUSE package maintainers to try to get in a default profile sooner rather than later. I've also opened containers/podman#19303, which will need to be merged in after this. |
|
I am fine with this change, although it seems to be contradictory. You are allowing rootless podman to use apparmor but you comment above the rootless processes can not set apparmor profiles. |
To clarify, I meant that rootless processes cannot load AppArmor profiles into the kernel; i.e., you can't run |
Why this change? This seems like a step backwards to me. Also: If you want to encourage distributions to ship a different default profile, why not ship it directly? |
|
I know nothing apparmor but I agree changing the default to unconfined seems like a regression in the rootful case. |
|
I'm happy to provide a default profile (although it seems that it would be better suited to the other PR containers/podman#15874 than here), but actually getting it installed will need some additional cooperation with whoever is in charge of the Debian and OpenSUSE repos. In any case, it doesn't make sense for the default profile to be specified inline in this library; that job should be deferred to |
|
Having a containers.conf option like As far as breaking podman CI goes we can always add something in our CI setup where we load the profile at the start as root. The important things is to not cause regressions for users who you use a released version so it must be clear for effected distro packagers that they have to ship this profile when in order to not cause regressions. |
|
There is the template in this repository from which the current default for the rootfull podman gets generated: https://github.com/containers/common/blob/main/pkg/apparmor/apparmor_linux_template.go This default should be a good compromise between security and convenience. If the default profile isn't a good compromise at the moment, it would need adjusting anyway. It may be, that one has to make a separate default for rootless, but it should work the same in principal, right?
According to the |
|
@kernelmethod @XSpielinbox @saschagrunert @vrothberg @siretart PTAL I don't think this should be decided by engineers who do not/have not worked with AppArmor |
|
I'll follow @XSpielinbox 's suggestion and use the existing template, and see where that takes us. |
|
@kernelmethod @XSpielinbox @saschagrunert @vrothberg @siretart any update on this? |
|
I have nothing to add to what I said before. I am looking forward to an implementation using the template. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kernelmethod, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
It was now merged without usage of the template, but rather weakening it to unconfined. What was the reasoning behind that? |
|
@XSpielinbox Go is unfortunately not a language I'm terribly good with, and I've had other obligations take priority over this so I've fallen a bit behind on getting this PR and containers/podman#19303 ready (particularly the latter). I'm still working on it; however, if it's high-priority for you and you want to help out, feel free to make a PR to https://github.com/kernelmethod/podman and I'll merge your changes into mine. @rhatdan -- unfortunately as @XSpielinbox said I don't think that this PR was ready to be merged, at least per the previous discussion. Are we now okay with defaulting to making Podman containers unconfined? (Technically already the default for rootless containers, but not for rootful ones.) |
|
I'll revert the commit. I am not sure it was on purpose since merging requires ACKs from at least two maintainers. |
Unfortunately, it is more or less the same for me. I will see what I can do. I would really like to see this feature implemented some day. I wanted to learn Go programming for month now, but haven't found the time yet. |
|
@kernelmethod What OS are you using to test the AppArmor support? |
Debian (Bookworm) |
Thanks @vrothberg; I'll open a new PR once everything's ready. |
Related issues:
This PR re-implements #960, allowing containers to execute under a specified AppArmor profile when run rootlessly. In addition, it changes the default AppArmor profile used by containers to
unconfined.The current implementation of Podman compiles and loads the default AppArmor profile at runtime. However, this is incompatible with providing rootless AppArmor compatibility, as loading an AppArmor profile requires root privileges. As discussed in containers/podman#15874, the ideal mechanism by which a default profile should be loaded is to add a profile to
/etc/apparmor.dat installation time, by individual distributions. This profile should then be specified in a defaultcontainers.confprovided by the distribution.