Enable rootless AppArmor #19303
Enable rootless AppArmor #19303
Conversation
These changes make it possible to specify an AppArmor profile to run a container under via the --security-opt apparmor=... flag when rootless. Podman previously required root privileges to specify an AppArmor in order to check /sys/kernel/security/apparmor/profiles to see whether or not the provided AppArmor profile was loaded into the kernel. After these changes, Podman will instead error out when it attempts to write /proc/thread-self/attr/exec with a non-existent profile. Note that Podman can't use apparmor_parser to load a new profile into the kernel without root. There isn't a convenient way to allow generateSpec to run CheckProfileAndLoadDefault rootlessly from containers/common in its current implementation, so I've removed all uses of that function from generateSpec (even when we're running as root). In theory this would mean that under these changes we won't be able to load a default profile for containers. However, it turns out that in practice there was never any path through the code where Podman would load the default profile anyways, so this is a non-breaking change. Fixes an issue previously described in: containers/common#958 Signed-off-by: Will Shand <[email protected]>
Signed-off-by: Will Shand <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: kernelmethod The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
- Import github.com/opencontainers/runc/libcontainer/apparmor as apparmor rather than runcaa for clarity. - Don't skip the 'podman run no apparmor --privileged' if we're running rootlessly. Signed-off-by: Will Shand <[email protected]>
| Skip("Apparmor is not enabled") | ||
| } | ||
| } | ||
| func skipIfRootless() { |
|
A friendly reminder that this PR had no activity for 30 days. |
|
@kernelmethod Still working on this one? |
|
I am, I've just fallen behind on getting it finished. If you'd prefer that I close this PR and open a new one when it's ready to merge, that's fine with me. |
|
No problem, I would prefer you update this PR with fixes when you get a chance. |
|
A friendly reminder that this PR had no activity for 30 days. |
|
@kernelmethod any update? |
|
Not at the moment; I'm planning on returning to this in mid- / late-October. If somebody else wants to pick this up then they're free to do so, but it's currently low-priority for me. |
Related issues:
As previously noted in containers/common#958 and #15874, it is perfectly possible for rootless containers to run with an AppArmor profile. However, the current architecture of Podman requires it to load the default AppArmor profile at runtime before running the container.
With this PR, we no longer attempt to load the profile at runtime. Instead (as discussed in #15874), default profiles should be installed to
/etc/apparmor.d/at the point where Podman is installed, and then specified in a defaultcontainers.conf.This is the sister PR to containers/common#1572; they should be merged in together to avoid breakage.
Does this PR introduce a user-facing change?