Allow rootless containers to use AppArmor profiles #59
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
These changes make it possible to specify an AppArmor profile to run a container under via the --security-opt apparmor=... flag when rootless. Podman previously required root privileges to specify an AppArmor in order to check /sys/kernel/security/apparmor/profiles to see whether or not the provided AppArmor profile was loaded into the kernel. After these changes, Podman will instead error out when it attempts to write /proc/thread-self/attr/exec with a non-existent profile. Note that Podman can't use apparmor_parser to load a new profile into the kernel without root. There isn't a convenient way to allow generateSpec to run CheckProfileAndLoadDefault rootlessly from containers/common in its current implementation, so I've removed all uses of that function from generateSpec (even when we're running as root). In theory this would mean that under these changes we won't be able to load a default profile for containers. However, it turns out that in practice there was never any path through the code where Podman would load the default profile anyways, so this is a non-breaking change. Fixes an issue previously described in: containers/common#958 Signed-off-by: Will Shand <[email protected]>
Signed-off-by: Will Shand <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related issues:
As previously noted in containers/common#958 and containers/podman#15874, it is perfectly possible for rootless containers to run with an AppArmor profile. However, the current architecture of Podman requires it to load the default AppArmor profile at runtime before running the container. With this PR, we no longer attempt to load the profile at runtime. Instead (as discussed in containers/podman#15874), default profiles should be installed to
/etc/apparmor.d/at the point where Podman is installed, and then specified in a defaultcontainers.conf.This is the sister PR to containers/common#1572; they should be merged in together to avoid breakage.
Does this PR introduce a user-facing change?