From 7342d59114fe443ae8d59474abb59280f014c493 Mon Sep 17 00:00:00 2001 From: Eric Windisch Date: Thu, 13 Aug 2015 12:35:03 -0400 Subject: [PATCH] AppArmor: Deny w to /proc/* files Introduce a write denial for files at the root of /proc. This prohibits root users from performing a chmod of those files. The rules for denials in proc are also cleaned up, making the rules better match their targets. Locally tested on: - Ubuntu precise (12.04) with AppArmor 2.7 - Ubuntu trusty (14.04) with AppArmor 2.8.95 Signed-off-by: Eric Windisch --- daemon/execdriver/native/apparmor.go | 5 +---- integration-cli/docker_cli_run_test.go | 12 ++++++++++++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go index 30d49b37b3..3aaba98a34 100644 --- a/daemon/execdriver/native/apparmor.go +++ b/daemon/execdriver/native/apparmor.go @@ -40,14 +40,11 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { file, umount, - deny @{PROC}/sys/fs/** wklx, - deny @{PROC}/fs/** wklx, + deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/kcore rwklx, - deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, - deny @{PROC}/sys/kernel/*/** wklx, deny mount, diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 040bcdaae4..17c6fe2f5a 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2811,6 +2811,18 @@ func (s *DockerSuite) TestAppArmorTraceSelf(c *check.C) { } } +func (s *DockerSuite) TestAppArmorDeniesChmodProc(c *check.C) { + testRequires(c, SameHostDaemon, NativeExecDriver, Apparmor) + _, exitCode, _ := dockerCmdWithError("run", "busybox", "chmod", "744", "/proc/cpuinfo") + if exitCode == 0 { + // If our test failed, attempt to repair the host system... + _, exitCode, _ := dockerCmdWithError("run", "busybox", "chmod", "444", "/proc/cpuinfo") + if exitCode == 0 { + c.Fatal("AppArmor was unsuccessful in prohibiting chmod of /proc/* files.") + } + } +} + func (s *DockerSuite) TestRunCapAddSYSTIME(c *check.C) { testRequires(c, NativeExecDriver)