-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AppArmor profile: recently added signal peers allow too much #2023
Comments
You could change crun* to be crun and crun-* to make it more specific. crun-wasm And potentially others in the future should be handled. These are sybolic links to crun, so not sure if that changes the equation. |
Yes - in this case, it makes things easier. AppArmor checks paths after symlink resolution, so if you have a symlink /usr/bin/crun-wasm -> /usr/bin/crun, AppArmor will always see /usr/bin/crun, and use the crun profile. |
Actually the symlink is only true for crun-wasm. crun-vm is a standalong executable. So for precision it would be better to do crun and crun-* |
Where are these other crun-* binaries being shipped or used, like crun-vm? I don't see them in any of the packages in the ubuntu archive, for example: $ apt-file search /usr/bin/crun
crun: /usr/bin/crun
crunch: /usr/bin/crunch
libcam-pdf-perl: /usr/bin/crunchjpgs But as can be seen, the concern raised by this ticket is valid: there are binaries matching /usr/bin/crun* that have nothing to do with the container world, and that this apparmor rule would allow. |
Change the rule to crun and crun-* if you like. We do not track what is and is not packaged for certain distributions. |
In 1aedc12 you added the following signal rules to the AppArmor profile:
This is not completely wrong, but it allows more than really needed.
a) The profiles added in https://gitlab.com/apparmor/apparmor/-/commit/2594d936 are all "named" profiles:
This means you can reference them by their name (runc, crun and podman). Including the path in peer= is superfluous,
peer=runc
is enough.b) Wildcard for
crun*
I don't know why you allow
crun*
instead of justcrun
, but that means that profiles matching that name (for example "cruncher") will be allowed to send signals. If this isn't intentional, I'd recommend to remove the*
..
To sum it up: I propose to change the lines added in 1aedc12 to
The text was updated successfully, but these errors were encountered: