[PATCH 7/8] contrib/apparmor: Merge pasta and passt profiles, update rules

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH 7/8] contrib/apparmor: Merge pasta and passt profiles, update rules
Date: Tue, 15 Nov 2022 02:23:48 +0100	[thread overview]
Message-ID: <20221115012349.2240096-8-sbrivio@redhat.com> (raw)
In-Reply-To: <20221115012349.2240096-1-sbrivio@redhat.com>

AppArmor resolves executable links before profile attachment rules
are evaluated, so, as long as pasta is installed as a link to passt,
there's no way to differentiate the two cases. Merge the two profiles
and leave a TODO note behind, explaining two possible ways forward.

Update the rules so that passt and pasta are actually usable, once
the profile is installed. Most required changes are related to
isolation and sandboxing features.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/usr.bin.passt | 73 ++++++++++++++++++++++++----------
 contrib/apparmor/usr.bin.pasta | 66 ------------------------------
 2 files changed, 51 insertions(+), 88 deletions(-)
 delete mode 100644 contrib/apparmor/usr.bin.pasta

diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
index a19fede..96b61ef 100644
--- a/contrib/apparmor/usr.bin.passt
+++ b/contrib/apparmor/usr.bin.passt
@@ -3,7 +3,10 @@
 # PASST - Plug A Simple Socket Transport
 #  for qemu/UNIX domain socket mode
 #
-# contrib/apparmor/usr.bin.passt - AppArmor profile example/template for passt
+# PASTA - Pack A Subtle Tap Abstraction
+#  for network namespace/tap device mode
+#
+# contrib/apparmor/usr.bin.passt - AppArmor profile for passt(1) and pasta(1)
 #
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
@@ -12,31 +15,29 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-/usr/bin/passt {
-  ### Alternatively: include <abstractions/base>
-  @{etc_ro}/ld.so.cache			r,
-  /{usr/,}lib{,32,64}/ld-*.so		r,
-  /{usr/,}lib{,32,64}/libc-*.so		mr,
-  /{usr/,}lib/@{multiarch}/ld-*.so	r,
-  /{usr/,}lib/@{multiarch}/libc-*.so	mr,
-  /dev/null 				rw,	# __daemon(), util.c
-  signal receive set=int peer=unconfined,
-  signal receive set=term peer=unconfined,
-  ###
+profile passt /usr/bin/passt{,.avx2} flags=(attach_disconnected) {
+  ### Common rules for passt and pasta
 
-  ### Alternatively: include <abstractions/nameservice>
+  include <abstractions/base>
+
+  # Alternatively: include <abstractions/nameservice>
   @{etc_ro}/resolv.conf			r,	# get_dns(), conf.c
-  ###
 
-  capability sys_admin,				# sandbox(), passt.c
-  capability setpcap,				# drop_caps(), util.c
+  capability net_bind_service,			# isolation.c, conf.c
+  capability setuid,
+  capability setgid,
+  capability sys_admin,
+  capability setpcap,
+  capability net_admin,
+  capability sys_ptrace,
 
-  mount		""	-> "/",			# sandbox(), passt.c
+  /					r,	# isolate_prefork(), isolation.c
+  mount		""	-> "/",
   mount		""	-> "/tmp/",
   pivot_root	"/tmp/" -> "/tmp/",
   umount	"/",
 
-  network netlink raw,				# netlink.c
+  network netlink raw,				# nl_sock_init_do(), netlink.c
 
   network inet stream,				# tcp.c
   network inet6 stream,
@@ -46,14 +47,42 @@ include <tunables/global>
 
   network unix stream,				# tap.c
 
-  network unix dgram,				# __openlog(), util.c
+  network unix dgram,				# __openlog(), log.c
 
-  ### Alternatively: include <abstractions/user-tmp>
+  # Alternatively: include <abstractions/user-tmp>
   owner /tmp/**				w,	# tap_sock_unix_init(), pcap(),
-						# write_pidfile()
-  ###
+						# write_pidfile(),
+						# logfile_init()
 
   owner @{HOME}/**			w,	# pcap(), write_pidfile()
 
   /usr/bin/passt.avx2			ix,	# arch_avx2_exec(), arch.c
+
+
+  ### Rules for pasta
+  ###
+  ### TODO: AppArmor doesn't give us the chance to attach a separate profile
+  ### depending on the executable symlink. That's possible with SELinux. Two
+  ### alternatives: implement that in AppArmor, or consider aa_change_hat(2).
+  ### With this, rules for passt(1) could be restricted significantly. Note that
+  ### the attach_disconnected flag is not needed for passt(1).
+
+  @{PROC}/net/tcp			r,	# procfs_scan_listen(), util.c
+  @{PROC}/net/tcp6			r,
+  @{PROC}/net/udp			r,
+  @{PROC}/net/udp6			r,
+
+  @{run}/user/@{uid}/netns/*		r,	# pasta_open_ns(), pasta.c
+
+  @{PROC}/[0-9]*/ns/net			r,	# pasta_wait_for_ns(),
+  @{PROC}/[0-9]*/ns/user		r,	# conf_pasta_ns()
+
+  /dev/net/tun				rw,	# tap_ns_tun(), tap.c
+
+  owner @{PROC}/@{pid}/gid_map		w,	# pasta_start_ns(), conf_ugid()
+  owner @{PROC}/@{pid}/setgroups	w,
+  owner @{PROC}/@{pid}/uid_map		rw,
+
+  owner @{PROC}/sys/net/ipv4/ping_group_range w, # pasta_spawn_cmd(), pasta.c
+  /{usr/,}bin/**			Ux,
 }
diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
deleted file mode 100644
index 844fcf3..0000000
--- a/contrib/apparmor/usr.bin.pasta
+++ /dev/null
@@ -1,66 +0,0 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# PASTA - Pack A Subtle Tap Abstraction
-#  for network namespace/tap device mode
-#
-# contrib/apparmor/usr.bin.pasta - AppArmor profile example/template for pasta
-#
-# Copyright (c) 2022 Red Hat GmbH
-# Author: Stefano Brivio <sbrivio@redhat.com>
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-/usr/bin/pasta flags=(attach_disconnected) {
-  include <abstractions/base>			# Interactive shell
-  include <abstractions/nameservice>
-  include <abstractions/consoles>
-  include <abstractions/bash>
-  owner /proc/**/ns/user		r,
-  /					r,
-  capability sys_ptrace,			# bash
-  capability dac_read_search,
-  capability dac_override,
-  @{etc_ro}/**				r,
-  /usr/**				r,
-  /lib/**				r,
-  owner @{HOME}/**			rw,
-  owner /tmp/**				rw,
-
-  /proc/*/net/tcp			r,	# procfs_scan_listen(), util.c
-  /proc/*/net/tcp6			r,
-  /proc/*/net/udp			r,
-  /proc/*/net/udp6			r,
-
-  /dev/net/tun				rw,	# tap_ns_tun(), tap.c
-
-  capability net_admin,				# for network namespace only
-  capability setpcap,				# drop_caps(), util.c
-  capability sys_admin,				# sandbox(), passt.c
-
-  mount		""	-> "/",			# sandbox(), passt.c
-  mount		""	-> "/tmp/",
-  pivot_root	"/tmp/" -> "/tmp/",
-  umount	"/",
-
-  network netlink raw,				# netlink.c
-
-  network inet stream,				# tcp.c
-  network inet6 stream,
-
-  network inet dgram,				# udp.c
-  network inet6 dgram,
-
-  network unix stream,				# tap.c
-
-  network unix dgram,				# __openlog(), util.c
-
-  owner /proc/*/gid_map			w,	# pasta_setup_ns()
-  owner /proc/*/setgroups		w,
-  owner /proc/*/uid_map			w,
-  owner /proc/sys/net/ipv4/ping_group_range w,
-  /{usr/,}bin/**			mrix,	# spawning shell
-
-  /usr/bin/pasta.avx2			ix,	# arch_avx2_exec(), arch.c
-}
-- 
2.35.1

next prev parent reply	other threads:[~2022-11-15  1:23 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-15  1:23 [PATCH 0/8] Fixes for Debian package functionality and build Stefano Brivio
2022-11-15  1:23 ` [PATCH 1/8] Makefile: Honour passed CPPFLAGS, not just CFLAGS Stefano Brivio
2022-11-15  5:00   ` David Gibson
2022-11-15  1:23 ` [PATCH 2/8] Makefile: Don't filter out -O2 from supplied flags for AVX2 builds Stefano Brivio
2022-11-15  5:15   ` David Gibson
2022-11-15  1:23 ` [PATCH 3/8] Makefile: It's AUDIT_ARCH_MIPSEL64, not AUDIT_ARCH_MIPS64EL Stefano Brivio
2022-11-16  5:14   ` David Gibson
2022-11-15  1:23 ` [PATCH 4/8] Makefile: Change HPPA into PARISC while building PASST_AUDIT_ARCH Stefano Brivio
2022-11-16  5:15   ` David Gibson
2022-11-15  1:23 ` [PATCH 5/8] util, pasta: Use __clone2() instead of clone() on ia64 Stefano Brivio
2022-11-16  5:17   ` David Gibson
2022-11-16  8:12     ` Stefano Brivio
2022-11-15  1:23 ` [PATCH 6/8] README: Add links to Debian package tracker Stefano Brivio
2022-11-16  5:18   ` David Gibson
2022-11-15  1:23 ` Stefano Brivio [this message]
2022-11-15  1:23 ` [PATCH 8/8] Remove contrib/debian, Debian package development now happens on Salsa Stefano Brivio

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:a19fede dfblob:844fcf3 dfblob:96b61ef
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221115012349.2240096-8-sbrivio@redhat.com \
    --to=sbrivio@redhat.com \
    --cc=passt-dev@passt.top \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).