support AppArmor profiles for containers

[smira]

See conversation here for details: #8641 (comment)

[konrader]

I started looking at how I could create a Talos system extension that contributes /usr/sbin/apparmor_parser to rootfs (where containerd looks it).
I managed to create a basic Docker build file that builds apparmor_parser from source:

FROM ubuntu:24.04

RUN apt update && apt install -y git make autoconf-archive pkg-config libtool g++ gettext bison flex

RUN git clone -b apparmor-3.1 https://gitlab.com/apparmor/apparmor.git

WORKDIR /apparmor/libraries/libapparmor
RUN ./autogen.sh
RUN ./configure
RUN make

WORKDIR /apparmor/parser
RUN make

FROM ubuntu:24.04

COPY --from=0 /apparmor/parser/apparmor_parser /usr/sbin/apparmor_parser

Now I'm a bit lost around how I get this into a Talos extension that I can try out on a test Talos cluster.

[smira]

I don't think we allow extensions to modify /usr/sbin, only /usr/local/... atm.

We are considering this feature still, but so far working on other things, so no active work happening here.

[frezbo]

Also since talos is based on musl, you'd have to build using an example in the extensions repo, probably look at nut-client

[smira]

But if kubelet/CRI hardcodes the apparmor_parser location, we'd have to make it part of standard Talos install, and then the question is how big it is (including whatever dependencies it has)

[konrader]

Unfortunately containerd has the path to apparmor_parser hardcoded: https://github.com/containerd/containerd/blob/release/1.7/pkg/apparmor/apparmor_linux.go#L38

The tricky part I see in containerd is that it automatically applies a default AppArmor profile to all started containers (if they don't have any security spec specified) if it has detected that host supports AppArmor (that checks both kernel support and that userland tool is available). The sorry part is that it does not allow starting a container with AppArmor security spec referencing already loaded profile if the host AppArmor support check returned false, even if in this case the apparmor_parser userland tool is not needed (profile reference is passed down to runc).
I almost feel like this should be an issue raised with containerd project.

[konrader]

Also since talos is based on musl, you'd have to build using an example in the extensions repo, probably look at nut-client

Here is a Dockerfile for compiling apparmor_parser against musl.

FROM alpine:3.19.1

RUN apk add -U --no-cache git g++ automake autoconf-archive pkgconfig make libtool gettext bison flex python3 vim sed musl-libintl linux-headers bash

RUN git clone -b apparmor-3.1 https://gitlab.com/apparmor/apparmor.git

WORKDIR /apparmor/libraries/libapparmor
RUN ./autogen.sh
RUN ./configure
RUN make

WORKDIR /apparmor/parser
RUN ../common/list_af_names.sh > base_af_names.h
RUN make

FROM alpine:3.19.1

COPY --from=0 /apparmor/parser/apparmor_parser /usr/sbin/apparmor_parser

But I'm not sure if I should convert this into Talos extension package since it does not allow copying things to /usr/sbin.