AppArmor LXC development

Registered by Marc Deslauriers on 2012-10-11

Discuss how AppArmor and LXC are working together and what improvements should be made.

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
Essential
Drafter:
John Johansen
Direction:
Approved
Assignee:
John Johansen
Definition:
Approved
Series goal:
Accepted for raring
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-13.04
Started by
Jamie Strandboge on 2013-03-28
Completed by
Jamie Strandboge on 2013-03-28

Related branches

Sprints

Whiteboard

jdstrand: For monthly planning purposes, some work items were broken out into the following:
https://blueprints.launchpad.net/ubuntu/+spec/appdev-1303-appisolation-base-labelling

jdstrand, 2013-03-28: postponed work added to https://blueprints.launchpad.net/ubuntu/+spec/security-s-appisolation-lxc

From etherpad (http://summit.ubuntu.com/uds-r/meeting/21155/security-r-apparmor-lxc/):
Features in development
- stacking
   * POC in 2-3 weeks for base stacking (ie, not userspace namespaces, have aa_stack_profile as opposed to change stacking in policy)
   * this allows is to both limit the container and have profiles within the container
- conditional rules
   * base conditionals by 13.04
   * eg:
     fs=procfs proc/foo rw,
     label=foo /foo/bar rw,
- mount fixes/improvements
   * 'umount /mnt/{**,},' - delegation (parent hands capabilities to the child)
Cleaner way of dealing with things like:
  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
      * should be in 13.04 as part of conditionals work
  - extended regex matching and boolean operations
    eg. allow /** - /sys/fs/cgr*/** wklx,
  - netlink? (to filter uevents) - eg network netlink (create,bind,rw),
   - on schedule. will look like regular network rule. First pass, mask off a family or not. planned for 13.10, maybe sooner
   - this will also bring in abstract unix domain socket mediation
 - labeling
 - bug on declaring variables outside of the preamble (ie, in a .d directory)
Can we have all of the above by 14.04? Yes. Work is planned and in progress
- stacking prototype is almost done
- conditional rules are a bit later (base conditionals in 13.04, others later)
Usernamespaces - 14.04

Work items should be brought forward from 12.10 since they already deal with these improvements

(?)

Work Items

Work items:
[jjohansen] aa-namespaces, controls limiting policy - kernel (essential) (3): POSTPONED
[jjohansen] aa-namespaces, controls limiting policy - regression tests (essential) (2): POSTPONED
[jjohansen] stacking - parser tests (essential) (1): POSTPONED
[jdstrand] stacking - update man pages where necessary for stacking (essential) (1): POSTPONED
[sbeattie] update Ubuntu packages (essential) (1): POSTPONED
[jjohansen] labeling - RFC/discussion (essential) (2): POSTPONED
[jjohansen] labeling - regression tests (4): POSTPONED
[jjohansen] fd passing - revalidate files at exec (essential) (3): POSTPONED
[jjohansen] fd passing - revalidate files at ipc (essential) (1): POSTPONED
[jjohansen] fd passing - regression tests (essential) (2): POSTPONED
[sbeattie] stacking - create ppa for testing (essential) (0.5): DONE
[jjohansen] labeling, implicit label sets - kernel (essential) (5): DONE

Work items for later:
[jjohansen] labeling, interface to introspect fd label (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - upstream (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - kernel (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - parser (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - parser tests (essential) (0.5): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - regression tests (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - aa-logparse, including tests (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - userspace tools (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - userspace tool unit tests (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - documentation/man pages (essential) (0.5): POSTPONED
[jjohansen] stacking, RFC/discussion - (essential) (2): POSTPONED
[jjohansen] stacking - upstream (medium) (5): POSTPONED
[jjohansen] stacking, investigate cgroup composition - kernel (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for capabilities (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for rlimits (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for files (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for network (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for ipc (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for mount (essential) (2): POSTPONED
[tyhicks] stacking - update aa-status to work with compound profile names (essential) (1): POSTPONED
[jjohansen] stacking - update genprof/logprof to handle compound profile names (low) (3): POSTPONED
[jjohansen] aa-namespaces, controls limiting policy - upstream (essential) (0.5): POSTPONED
[jjohansen] aa-namespaces, controls limiting policy - documentation (essential) (1): POSTPONED
[jjohansen] stacking, initial white paper doc - (essential) (4): POSTPONED
[jjohansen] labeling - initial white paper (essential) (4): POSTPONED