forked from containers/common
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #2040483 ("AppArmor denies crun sending signals to containers (st…
…op, kill)") This makes projects using AppArmor bits from golang-github-containers-common (notably podman) work with AppArmor v4.0.0. There is a similar issue with containerd clients and docker. The fix was merged to the containerd upstream[1]. The fix to moby (docker) was submitted but seems to have stalled[2]. Upstream notes we should fix regressions we introduced in Ubuntu or perhaps at least introduce a generic way to refer to OCI runtimes under a single peer name. I suspect we would get similar objections in containers/common. That's why I haven't yet submitted the patch to the upstream. In the meantime, patch this library so that podman can work with OCI runtimes we currently confine. [1] containerd/containerd#10123 [2] moby/moby#47749 Bug: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
- Loading branch information
Showing
2 changed files
with
67 additions
and
0 deletions.
There are no files selected for viewing
66 changes: 66 additions & 0 deletions
66
debian/patches/apparmor-Allow-confined-runc-crun-to-kill-containers.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
From 4e85b17f1adb47d3de3b348f707d785b1ec4900c Mon Sep 17 00:00:00 2001 | ||
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Virtus?= <nechtom@gmail.com> | ||
Date: Sun, 28 Apr 2024 22:17:12 +0200 | ||
Subject: [PATCH] apparmor: Allow confined runc/crun to kill containers | ||
MIME-Version: 1.0 | ||
Content-Type: text/plain; charset=UTF-8 | ||
Content-Transfer-Encoding: 8bit | ||
Origin: https://github.com/woky/common/commit/4e85b17f1adb47d3de3b348f707d785b1ec4900c | ||
Forwarded: no | ||
|
||
AppArmor v4.0.0 introduced runc and crun profiles for /usr/sbin/runc and | ||
/usr/bin/crun respectively[1]. This change breaks stopping of | ||
containers, because the built-in profile assigned to containers doesn't | ||
accept signals from runc and crun peers. AppArmor >= v4.0.0 is currently | ||
part of Ubuntu Mantic (23.10) and later. | ||
|
||
The issue is reproducible when podman is run with privileges to load new | ||
AppArmor profiles (e.g. as root): | ||
|
||
Test commands: | ||
|
||
root@cloudimg:~# podman run -d --name foo docker.io/library/nginx:latest | ||
1859ea952f6bfb90cc42a57e128d9a2fd7a134e3fbbbe0c22a57bf1b37468cd0 | ||
root@cloudimg:~# podman stop foo | ||
WARN[0010] StopSignal SIGQUIT failed to stop container foo in 10 seconds, resorting to SIGKILL | ||
Error: given PID did not die within timeout | ||
|
||
AppArmor denial in syslog (with long lines wrapped): | ||
|
||
Apr 28 20:26:49 cloudimg kernel: audit: | ||
type=1400 audit(1714336009.026:112): apparmor="DENIED" | ||
operation="signal" class="signal" | ||
profile="containers-default-0.57.4" pid=2553 comm="3" | ||
requested_mask="receive" denied_mask="receive" signal=quit | ||
peer="crun" | ||
|
||
This change extends the default profile with rules that allow receiving | ||
signals from processes that run confined with either runc or crun | ||
profile. It is backward compatible because the peer value is a regular | ||
expression (AARE) so the referenced profile doesn't have to exist for | ||
this profile to successfully compile and load. | ||
|
||
[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936 | ||
|
||
Signed-off-by: Tomáš Virtus <nechtom@gmail.com> | ||
--- | ||
pkg/apparmor/apparmor_linux_template.go | 3 +++ | ||
1 file changed, 3 insertions(+) | ||
|
||
diff --git a/pkg/apparmor/apparmor_linux_template.go b/pkg/apparmor/apparmor_linux_template.go | ||
index b8212542..d1ac2780 100644 | ||
--- a/pkg/apparmor/apparmor_linux_template.go | ||
+++ b/pkg/apparmor/apparmor_linux_template.go | ||
@@ -21,6 +21,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { | ||
# Allow signals from privileged profiles and from within the same profile | ||
signal (receive) peer=unconfined, | ||
signal (send,receive) peer={{.Name}}, | ||
+ # Allow signals from OCI runtimes (runc and crun) | ||
+ signal (receive) peer=runc, | ||
+ signal (receive) peer=crun, | ||
{{end}} | ||
|
||
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) | ||
-- | ||
2.44.0 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,2 @@ | ||
fix-apparmor-parsing.patch | ||
apparmor-Allow-confined-runc-crun-to-kill-containers.patch |