lxc  4.0.10
About: LXC are userspace tools for the Linux kernel containers that let users easily create and manage system or application containers.
  Fossies Dox: lxc-4.0.10.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

apparmor.c File Reference
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/vfs.h>
#include <unistd.h>
#include "caps.h"
#include "cgroups/cgroup_utils.h"
#include "conf.h"
#include "config.h"
#include "initutils.h"
#include "file_utils.h"
#include "log.h"
#include "lsm.h"
#include "parse.h"
#include "process_utils.h"
#include "utils.h"
Include dependency graph for apparmor.c:

Go to the source code of this file.

Data Structures

struct  mntopt_t
 
struct  apparmor_parser_args
 

Macros

#define _GNU_SOURCE   1
 
#define AA_DEF_PROFILE   "lxc-container-default"
 
#define AA_DEF_PROFILE_CGNS   "lxc-container-default-cgns"
 
#define AA_MOUNT_RESTR   "/sys/kernel/security/apparmor/features/mount/mask"
 
#define AA_ENABLED_FILE   "/sys/module/apparmor/parameters/enabled"
 
#define AA_UNCHANGED   "unchanged"
 
#define AA_GENERATED   "generated"
 
#define AA_CMD_LOAD   'r'
 
#define AA_CMD_UNLOAD   'R'
 
#define AA_CMD_PARSE   'Q'
 

Functions

static void LXC_TRACE (struct lxc_log_locinfo *, const char *,...)
 
static void LXC_DEBUG (struct lxc_log_locinfo *, const char *,...)
 
static void LXC_INFO (struct lxc_log_locinfo *, const char *,...)
 
static void LXC_NOTICE (struct lxc_log_locinfo *, const char *,...)
 
static void LXC_WARN (struct lxc_log_locinfo *, const char *,...)
 
static void LXC_ERROR (struct lxc_log_locinfo *, const char *,...)
 
static void LXC_CRIT (struct lxc_log_locinfo *, const char *,...)
 
static void LXC_ALERT (struct lxc_log_locinfo *, const char *,...)
 
static void LXC_FATAL (struct lxc_log_locinfo *, const char *,...)
 
static void load_mount_features_enabled (struct lsm_ops *ops)
  More...
 
static int apparmor_enabled (struct lsm_ops *ops)
  More...
 
static int __apparmor_process_label_open (struct lsm_ops *ops, pid_t pid, int o_flags, bool on_exec)
  More...
 
static char * apparmor_process_label_get (struct lsm_ops *ops, pid_t pid)
  More...
 
static char * apparmor_process_label_get_at (struct lsm_ops *ops, int fd_pid)
  More...
 
static bool apparmor_am_unconfined (struct lsm_ops *ops)
  More...
 
static bool aa_needs_transition (char *curlabel)
  More...
 
static void uint64hex (char *buf, uint64_t num)
  More...
 
static char * shorten_apparmor_name (char *name)
  More...
 
static void sanitize_path (char *path)
  More...
 
static char * apparmor_dir (const char *ctname, const char *lxcpath)
  More...
 
static char * apparmor_profile_full (const char *ctname, const char *lxcpath)
  More...
 
static char * apparmor_namespace (const char *ctname, const char *lxcpath)
  More...
 
static bool check_apparmor_parser_version (struct lsm_ops *ops)
  More...
 
static bool file_is_yes (const char *path)
  More...
 
static bool apparmor_can_stack (void)
  More...
 
static void must_append_sized_full (char **buf, size_t *bufsz, const char *data, size_t size, bool append_newline)
  More...
 
static void must_append_sized (char **buf, size_t *bufsz, const char *data, size_t size)
  More...
 
static bool is_privileged (struct lxc_conf *conf)
  More...
 
static void append_remount_rule (char **profile, size_t *size, const char *rule)
  More...
 
static void append_all_remount_rules (char **profile, size_t *size)
  More...
 
static char * get_apparmor_profile_content (struct lsm_ops *ops, struct lxc_conf *conf, const char *lxcpath)
  More...
 
static char * make_apparmor_profile_path (const char *ctname, const char *lxcpath)
  More...
 
static char * make_apparmor_namespace_path (const char *ctname, const char *lxcpath)
  More...
 
static bool make_apparmor_namespace (struct lsm_ops *ops, struct lxc_conf *conf, const char *lxcpath)
  More...
 
static void remove_apparmor_namespace (struct lxc_conf *conf, const char *lxcpath)
  More...
 
static int apparmor_parser_exec (void *data)
  More...
 
static int run_apparmor_parser (char command, struct lxc_conf *conf, const char *lxcpath)
  More...
 
static void remove_apparmor_profile (struct lxc_conf *conf, const char *lxcpath)
  More...
 
static int load_apparmor_profile (struct lsm_ops *ops, struct lxc_conf *conf, const char *lxcpath)
  More...
 
static void apparmor_cleanup (struct lsm_ops *ops, struct lxc_conf *conf, const char *lxcpath)
  More...
 
static int apparmor_prepare (struct lsm_ops *ops, struct lxc_conf *conf, const char *lxcpath)
  More...
 
static int apparmor_keyring_label_set (struct lsm_ops *ops, const char *label)
 
static int apparmor_process_label_fd_get (struct lsm_ops *ops, pid_t pid, bool on_exec)
  More...
 
static int apparmor_process_label_set_at (struct lsm_ops *ops, int label_fd, const char *label, bool on_exec)
  More...
 
static int apparmor_process_label_set (struct lsm_ops *ops, const char *inlabel, struct lxc_conf *conf, bool on_exec)
 
struct lsm_opslsm_apparmor_ops_init (void)
  More...
 

Variables

struct lxc_log_category lxc_log_category_lsm
 
struct lxc_log_category lxc_log_category_apparmor = { "apparmor", LXC_LOG_LEVEL_NOTSET, NULL, &lxc_log_category_lsm }
 
static const char AA_PROFILE_BASE []
  More...
 
static const char AA_PROFILE_UNIX_SOCKETS []
  More...
 
static const char AA_PROFILE_CGROUP_NAMESPACES []
  More...
 
static const char AA_PROFILE_STACKING_BASE []
  More...
 
static const char AA_PROFILE_NO_STACKING []
  More...
 
static const char AA_PROFILE_NESTING_BASE []
  More...
 
static const char AA_PROFILE_UNPRIVILEGED []
  More...
 
static const char * AA_ALL_DEST_PATH_LIST []
  More...
 
static const struct mntopt_t REMOUNT_OPTIONS []
  More...
 
static struct lsm_ops apparmor_ops
  More...
 

Variable Documentation

◆ AA_ALL_DEST_PATH_LIST

const char* AA_ALL_DEST_PATH_LIST[]
static
Initial value:
= {
" -> /[^spd]*{,/**},\n",
" -> /d[^e]*{,/**},\n",
" -> /de[^v]*{,/**},\n",
" -> /dev/.[^l]*{,/**},\n",
" -> /dev/.l[^x]*{,/**},\n",
" -> /dev/.lx[^c]*{,/**},\n",
" -> /dev/.lxc?*{,/**},\n",
" -> /dev/[^.]*{,/**},\n",
" -> /dev?*{,/**},\n",
" -> /p[^r]*{,/**},\n",
" -> /pr[^o]*{,/**},\n",
" -> /pro[^c]*{,/**},\n",
" -> /proc?*{,/**},\n",
" -> /s[^y]*{,/**},\n",
" -> /sy[^s]*{,/**},\n",
" -> /sys?*{,/**},\n",
NULL,
}

Definition at line 675 of file apparmor.c.

Referenced by append_remount_rule().

◆ AA_PROFILE_BASE

const char AA_PROFILE_BASE[]
static

Definition at line 40 of file apparmor.c.

Referenced by get_apparmor_profile_content().

◆ AA_PROFILE_CGROUP_NAMESPACES

const char AA_PROFILE_CGROUP_NAMESPACES[]
static
Initial value:
=
"\n"
" ### Feature: cgroup namespace\n"
" mount fstype=cgroup -> /sys/fs/cgroup/**,\n"
" mount fstype=cgroup2 -> /sys/fs/cgroup/**,\n"

Definition at line 274 of file apparmor.c.

Referenced by get_apparmor_profile_content().

◆ AA_PROFILE_NESTING_BASE

const char AA_PROFILE_NESTING_BASE[]
static
Initial value:
=
"\n"
" ### Configuration: nesting\n"
" pivot_root,\n"
" ptrace,\n"
" signal,\n"
"\n"
" deny /dev/.lxc/proc/** rw,\n"
" deny /dev/.lxc/sys/** rw,\n"
"\n"
" mount fstype=proc -> /usr/lib/*/lxc/**,\n"
" mount fstype=sysfs -> /usr/lib/*/lxc/**,\n"
"\n"
" # Allow nested LXD\n"
" mount none -> /var/lib/lxd/shmounts/,\n"
" mount /var/lib/lxd/shmounts/ -> /var/lib/lxd/shmounts/,\n"
" mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**,\n"
"\n"
" # TODO: There doesn't seem to be a way to ask for:\n"
" # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n"
" # as we always get mount to $cdir/proc/sys with those flags denied\n"
" # So allow all mounts until that is straightened out:\n"
" mount,\n"

Definition at line 319 of file apparmor.c.

Referenced by get_apparmor_profile_content().

◆ AA_PROFILE_NO_STACKING

const char AA_PROFILE_NO_STACKING[]
static
Initial value:
=
"\n"
" ### Feature: apparmor stacking (not present)\n"
" deny /sys/k*{,/**} rwklx,\n"

Definition at line 312 of file apparmor.c.

Referenced by get_apparmor_profile_content().

◆ AA_PROFILE_STACKING_BASE

const char AA_PROFILE_STACKING_BASE[]
static
Initial value:
=
"\n"
" ### Feature: apparmor stacking\n"
" ### Configuration: apparmor profile loading (in namespace)\n"
" deny /sys/k[^e]*{,/**} wklx,\n"
" deny /sys/ke[^r]*{,/**} wklx,\n"
" deny /sys/ker[^n]*{,/**} wklx,\n"
" deny /sys/kern[^e]*{,/**} wklx,\n"
" deny /sys/kerne[^l]*{,/**} wklx,\n"
" deny /sys/kernel/[^s]*{,/**} wklx,\n"
" deny /sys/kernel/s[^e]*{,/**} wklx,\n"
" deny /sys/kernel/se[^c]*{,/**} wklx,\n"
" deny /sys/kernel/sec[^u]*{,/**} wklx,\n"
" deny /sys/kernel/secu[^r]*{,/**} wklx,\n"
" deny /sys/kernel/secur[^i]*{,/**} wklx,\n"
" deny /sys/kernel/securi[^t]*{,/**} wklx,\n"
" deny /sys/kernel/securit[^y]*{,/**} wklx,\n"
" deny /sys/kernel/security/[^a]*{,/**} wklx,\n"
" deny /sys/kernel/security/a[^p]*{,/**} wklx,\n"
" deny /sys/kernel/security/ap[^p]*{,/**} wklx,\n"
" deny /sys/kernel/security/app[^a]*{,/**} wklx,\n"
" deny /sys/kernel/security/appa[^r]*{,/**} wklx,\n"
" deny /sys/kernel/security/appar[^m]*{,/**} wklx,\n"
" deny /sys/kernel/security/apparm[^o]*{,/**} wklx,\n"
" deny /sys/kernel/security/apparmo[^r]*{,/**} wklx,\n"
" deny /sys/kernel/security/apparmor?*{,/**} wklx,\n"
" deny /sys/kernel/security?*{,/**} wklx,\n"
" deny /sys/kernel?*{,/**} wklx,\n"

Definition at line 282 of file apparmor.c.

Referenced by get_apparmor_profile_content().

◆ AA_PROFILE_UNIX_SOCKETS

const char AA_PROFILE_UNIX_SOCKETS[]
static
Initial value:
=
"\n"
" ### Feature: unix\n"
" # Allow receive via unix sockets from anywhere\n"
" unix (receive),\n"
"\n"
" # Allow all unix sockets in the container\n"
" unix peer=(label=@{profile_name}),\n"

Definition at line 264 of file apparmor.c.

Referenced by get_apparmor_profile_content().

◆ AA_PROFILE_UNPRIVILEGED

const char AA_PROFILE_UNPRIVILEGED[]
static
Initial value:
=
"\n"
" ### Configuration: unprivileged container\n"
" pivot_root,\n"
"\n"
" # Allow modifying mount propagation\n"
" mount options=(rw,make-slave) -> **,\n"
" mount options=(rw,make-rslave) -> **,\n"
" mount options=(rw,make-shared) -> **,\n"
" mount options=(rw,make-rshared) -> **,\n"
" mount options=(rw,make-private) -> **,\n"
" mount options=(rw,make-rprivate) -> **,\n"
" mount options=(rw,make-unbindable) -> **,\n"
" mount options=(rw,make-runbindable) -> **,\n"
"\n"
" # Allow all bind-mounts\n"
" mount options=(rw,bind),\n"
" mount options=(rw,rbind),\n"
"\n"
" # Allow remounting things read-only\n"
" mount options=(ro,remount),\n"

Definition at line 345 of file apparmor.c.

Referenced by get_apparmor_profile_content().

◆ apparmor_ops

struct lsm_ops apparmor_ops
static
Initial value:
= {
.name = "AppArmor",
.aa_admin = -1,
.aa_can_stack = -1,
.aa_enabled = -1,
.aa_is_stacked = -1,
.aa_mount_features_enabled = -1,
.aa_parser_available = -1,
.aa_supports_unix = -1,
.cleanup = apparmor_cleanup,
.enabled = apparmor_enabled,
.keyring_label_set = apparmor_keyring_label_set,
.prepare = apparmor_prepare,
.process_label_fd_get = apparmor_process_label_fd_get,
.process_label_get = apparmor_process_label_get,
.process_label_set = apparmor_process_label_set,
.process_label_get_at = apparmor_process_label_get_at,
.process_label_set_at = apparmor_process_label_set_at,
}
static char * apparmor_process_label_get(struct lsm_ops *ops, pid_t pid)
Definition: apparmor.c:431
static int apparmor_process_label_set(struct lsm_ops *ops, const char *inlabel, struct lxc_conf *conf, bool on_exec)
Definition: apparmor.c:1202
static void apparmor_cleanup(struct lsm_ops *ops, struct lxc_conf *conf, const char *lxcpath)
Definition: apparmor.c:1049
static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd, const char *label, bool on_exec)
Definition: apparmor.c:1166
static char * apparmor_process_label_get_at(struct lsm_ops *ops, int fd_pid)
Definition: apparmor.c:463
static int apparmor_enabled(struct lsm_ops *ops)
Definition: apparmor.c:379
static int apparmor_process_label_fd_get(struct lsm_ops *ops, pid_t pid, bool on_exec)
Definition: apparmor.c:1161
static int apparmor_keyring_label_set(struct lsm_ops *ops, const char *label)
Definition: apparmor.c:1156
static int apparmor_prepare(struct lsm_ops *ops, struct lxc_conf *conf, const char *lxcpath)
Definition: apparmor.c:1063

Definition at line 1202 of file apparmor.c.

Referenced by lsm_apparmor_ops_init().

◆ REMOUNT_OPTIONS

const struct mntopt_t REMOUNT_OPTIONS[]
static
Initial value:
= {
{ ",nodev", sizeof(",nodev")-1 },
{ ",nosuid", sizeof(",nosuid")-1 },
{ ",noexec", sizeof(",noexec")-1 },
}

Referenced by append_all_remount_rules().