0

I've searched through wiki of AppArmor's wiki as well as tried Internet searches for "apparmor mount namespace" (or similar). However, I always draw a blank as how AppArmor deals with them, which is especially odd considering that OCI containers could not exist without mount namespaces. Does AppArmor take mount namespaces into any account at all, or does it simply check for the filename passed to some syscall?

If a process inside a container switches mount namespaces does AppArmor take notice at all, or is it simply mount namespace-agnostic in that it doesn't care? For instance, if a container process switches into the initial mount namespace, can I write AppArmor MAC rules to prevent such a process from accessing senstive host files, while the same files inside its own container are allowed for access?

TheDiveO
  • 2,183
  • 2
  • 19
  • 38

2 Answers2

0

can I write AppArmor MAC rules to prevent such a process from accessing senstive host files.

Just don't give container access to sensitive host filesystem part. That means don't mount them into container. This is out of scope of AppArmor to take care of if you do.

rkosegi
  • 14,165
  • 5
  • 50
  • 83
  • The answer to my question then is "No, AppArmor doesn't take mount namespaces into consideration", correct? My question is not about mounting things into the container, but instead a container process switching mount namespaces (of course subject to capabilities) and whether AppArmor can handle such situations, for whichever reasons they should arise, such as attacks. If we can ensure at any time a container doesn't get access to sensitive parts then why would I need AppArmor (or other MACs) at all? – TheDiveO Feb 21 '21 at 16:41
0

I would say that AppArmor is partially linux kernel mount namespace aware. I think the attach_disconnected flag in apparmor is an indication that apparmor knows if you are in the main OS mount namespace or a separate mount namespace.

The attach_disconnected flag is briefly described at this link (despite the warning at the top of the page claiming to be a draft): https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference

The following reference, from a ubuntu apparmor discussion, provides useful and related information although not directly answering your question. https://lists.ubuntu.com/archives/apparmor/2018-July/011722.html

The following references, from a usenix presentation, provides a proposal to add security namespaces to the Linux kernel for use by frameworks such as apparmor. This does not directly show how / if apparmor currently uses kernel mount namespaces for decision making, but it's related enough to be of interest. https://www.usenix.org/sites/default/files/conference/protected-files/security18_slides_sun.pdf https://www.usenix.org/conference/usenixsecurity18/presentation/sun

I don't know if my response here is complete enough to be considered a full answer to your questions, however I don't have enough reputation points to put this into a comment. I also found it difficult to know when the AppArmor documentation meant "apparmor policy namespace" vs "linux kernel mount namespace", when the word "namespace" was specified alone.

DericS
  • 101
  • 1