[PATCH 0/3] Assorted AppArmor policy fixes for passt and pasta

[PATCH 0/3] Assorted AppArmor policy fixes for passt and pasta

[Stefano Brivio]

Related to:
  https://github.com/containers/buildah/issues/5440
  https://bugzilla.suse.com/show_bug.cgi?id=1221840

Danish Prakash (1):
  apparmor: Fix access to procfs namespace entries in pasta's
    abstraction

Stefano Brivio (2):
  apparmor: Add mount rule with explicit, empty source in passt
    abstraction
  apparmor: Expand scope of @{run}/user access, allow writing PID files
    too

 contrib/apparmor/abstractions/passt | 1 +
 contrib/apparmor/abstractions/pasta | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

-- 
2.43.0

[PATCH 1/3] apparmor: Add mount rule with explicit, empty source in passt abstraction

[Stefano Brivio]

For the policy to work as expected across either AppArmor commit
9d3f8c6cc05d ("parser: fix parsing of source as mount point for
propagation type flags") and commit 300889c3a4b7 ("parser: fix option
flag processing for single conditional rules"), we need one mount
rule with matching mount options as "source" (that is, without
source), and one without mount options and an explicit, empty source.

Link: https://github.com/containers/buildah/issues/5440
Link: https://bugzilla.suse.com/show_bug.cgi?id=1221840
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/abstractions/passt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index 6bb25e0..61ec32c 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -27,6 +27,7 @@
 
   /					r,	# isolate_prefork(), isolation.c
   mount options=(rw, runbindable) /,
+  mount		""	-> "/",
   mount		""	-> "/tmp/",
   pivot_root	"/tmp/" -> "/tmp/",
   umount	"/",
-- 
@@ -27,6 +27,7 @@
 
   /					r,	# isolate_prefork(), isolation.c
   mount options=(rw, runbindable) /,
+  mount		""	-> "/",
   mount		""	-> "/tmp/",
   pivot_root	"/tmp/" -> "/tmp/",
   umount	"/",
-- 
2.43.0

[PATCH 2/3] apparmor: Expand scope of @{run}/user access, allow writing PID files too

[Stefano Brivio]

With Podman's custom networks, pasta will typically need to open the
target network namespace at /run/user/<UID>/containers/networks:
grant access to anything under /run/user/<UID> instead of limiting it
to some subpath.

Note that in this case, Podman will need pasta to write out a PID
file, so we need write access, for similar locations, too.

Reported-by: Jörg Sonnenberger <joerg@bec.de>
Link: https://github.com/containers/buildah/issues/5440
Link: https://bugzilla.suse.com/show_bug.cgi?id=1221840
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/abstractions/pasta | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
index a890391..060caab 100644
--- a/contrib/apparmor/abstractions/pasta
+++ b/contrib/apparmor/abstractions/pasta
@@ -27,7 +27,7 @@
   @{PROC}/@{pid}/net/udp		r,
   @{PROC}/@{pid}/net/udp6		r,
 
-  @{run}/user/@{uid}/netns/*		r,	# pasta_open_ns(), pasta.c
+  @{run}/user/@{uid}/**			rw,	# pasta_open_ns(), main()
 
   @{PROC}/[0-9]*/ns/net			r,	# pasta_wait_for_ns(),
   @{PROC}/[0-9]*/ns/user		r,	# conf_pasta_ns()
-- 
@@ -27,7 +27,7 @@
   @{PROC}/@{pid}/net/udp		r,
   @{PROC}/@{pid}/net/udp6		r,
 
-  @{run}/user/@{uid}/netns/*		r,	# pasta_open_ns(), pasta.c
+  @{run}/user/@{uid}/**			rw,	# pasta_open_ns(), main()
 
   @{PROC}/[0-9]*/ns/net			r,	# pasta_wait_for_ns(),
   @{PROC}/[0-9]*/ns/user		r,	# conf_pasta_ns()
-- 
2.43.0

[PATCH 3/3] apparmor: Fix access to procfs namespace entries in pasta's abstraction

[Stefano Brivio]

From: Danish Prakash <danish.prakash@suse.com>

From an original patch by Danish Prakash.

With commit ff22a78d7b52 ("pasta: Don't try to watch namespaces in
procfs with inotify, use timer instead"), if a filesystem-bound
target namespace is passed on the command line, we'll grab a handle
on its parent directory. That commit, however, didn't introduce a
matching AppArmor rule. Add it here.

To access a network namespace procfs entry, we also need a 'ptrace'
rule. See commit 594dce66d3bb ("isolation: keep CAP_SYS_PTRACE when
required") for details as to when we need this -- essentially, it's
about operation with Buildah.

Reported-by: Jörg Sonnenberger <joerg@bec.de>
Link: https://github.com/containers/buildah/issues/5440
Link: https://bugzilla.suse.com/show_bug.cgi?id=1221840
Fixes: ff22a78d7b52 ("pasta: Don't try to watch namespaces in procfs with inotify, use timer instead")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/abstractions/pasta | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
index 060caab..581ad1b 100644
--- a/contrib/apparmor/abstractions/pasta
+++ b/contrib/apparmor/abstractions/pasta
@@ -29,6 +29,7 @@
 
   @{run}/user/@{uid}/**			rw,	# pasta_open_ns(), main()
 
+  @{PROC}/[0-9]*/ns/			r,	# pasta_netns_quit_init(),
   @{PROC}/[0-9]*/ns/net			r,	# pasta_wait_for_ns(),
   @{PROC}/[0-9]*/ns/user		r,	# conf_pasta_ns()
 
@@ -42,3 +43,5 @@
   /{usr/,}bin/**			Ux,
 
   /usr/bin/pasta.avx2			ix,	# arch_avx2_exec(), arch.c
+
+  ptrace				r,	# pasta_open_ns()
-- 
@@ -29,6 +29,7 @@
 
   @{run}/user/@{uid}/**			rw,	# pasta_open_ns(), main()
 
+  @{PROC}/[0-9]*/ns/			r,	# pasta_netns_quit_init(),
   @{PROC}/[0-9]*/ns/net			r,	# pasta_wait_for_ns(),
   @{PROC}/[0-9]*/ns/user		r,	# conf_pasta_ns()
 
@@ -42,3 +43,5 @@
   /{usr/,}bin/**			Ux,
 
   /usr/bin/pasta.avx2			ix,	# arch_avx2_exec(), arch.c
+
+  ptrace				r,	# pasta_open_ns()
-- 
2.43.0