apparmor: permit signals from unconfined programs#41337
Merged
justincormack merged 1 commit intomoby:masterfrom Sep 11, 2020
Merged
apparmor: permit signals from unconfined programs#41337justincormack merged 1 commit intomoby:masterfrom
justincormack merged 1 commit intomoby:masterfrom
Conversation
Otherwise if you try to kill a container process from the host directly, you get EACCES. Also add a comment to make sure that the profile code (which has been replicated by several projects) doesn't get out of sync. Signed-off-by: Aleksa Sarai <[email protected]>
thaJeztah
reviewed
Aug 11, 2020
| // change to this profile, please make follow-up PRs to those projects so | ||
| // that these rules can be synchronised (because any issue with this | ||
| // profile will likely affect libpod and containerd). | ||
| // TODO: Move this to a common project so we can maintain it in one spot. |
Member
There was a problem hiding this comment.
Is it (in its current form) generic enough to be re-used, or are other changes needed?
Perhaps would be good to open a ticket for this for further discussion
Contributor
Author
There was a problem hiding this comment.
I'm about to submit a patch to containerd which is missing these changes (in fact it's missing all of the signal changes from 2018!) and I will propose it there.
Member
There was a problem hiding this comment.
The package itself has received little updates, so from that perspective I don't think it'd be a problem to move it separate (we moved out some other packages, such as https://github.com/moby/sys, for easier reusability)
justincormack
approved these changes
Sep 11, 2020
cyphar
added a commit
to cyphar/containerd
that referenced
this pull request
Jan 29, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]>
This was referenced Jan 29, 2021
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Jan 29, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Jan 29, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
dweomer
pushed a commit
to k3s-io/containerd
that referenced
this pull request
Mar 16, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Mar 30, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
brandond
pushed a commit
to k3s-io/containerd
that referenced
this pull request
Mar 30, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Jul 19, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Jul 20, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Aug 13, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
brandond
pushed a commit
to k3s-io/containerd
that referenced
this pull request
Oct 4, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Nov 18, 2021
On newer kernels and systems, AppArmor will block sending signals in many scenarios by default resulting in strange behaviours (container programs cannot signal each other, or host processes like containerd cannot signal containers). The reason this happens only on some distributions (and is not a kernel regression) is that the kernel doesn't enforce signal mediation unless the profile contains signal rules. However because our profies #include the distribution-managed <abstractions/base>, some distributions added signal rules -- which results in AppArmor enforcing signal mediation and thus a regression. On these systems, containers cannot send and receive signals at all -- meaning they cannot signal each other and the container runtime cannot kill them either. This issue was fixed in Docker in 2018[1] but this code was copied before then and thus the patches weren't carried. It also contains a new fix for a more esoteric case[2]. Ideally this code should live in a project like "containerd/apparmor" so that Docker, libpod, and containerd can share it, but that's probably something to do separately. In addition, the copyright header is updated to reference that the code is copied from Docker (and thus was not written entirely by the containerd authors). [1]: moby/moby#37831 [2]: moby/moby#41337 Signed-off-by: Aleksa Sarai <[email protected]> (cherry picked from commit d8572b6) Signed-off-by: Brad Davidson <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Otherwise if you try to kill a container process from the host directly,
you get EACCES. Also add a comment to make sure that the profile code
(which has been replicated by several projects) doesn't get out of sync.
Signed-off-by: Aleksa Sarai [email protected]