[PATCH 00/58] LSM: Module stacking for AppArmor

John Johansen john.johansen at canonical.com
Wed Jun 5 05:03:56 UTC 2019 

On 6/4/19 8:08 PM, James Morris wrote:
> On Tue, 4 Jun 2019, John Johansen wrote:
> 
>> system as a whole is still being protected by selinux. Similar requests 
>> have been made for lxd doing system containers. lxd currently supports 
>> nested apparmor, so on an ubuntu system you can run suse container, 
>> where the ubuntu host is enforcing policy and the suse container is 
>> loading and enforcing its policy as well. In this case the policy of the 
>> container is bounded by the policy of the host. The goal is to be able 
>> to the same with selinux and smack based systems, LSM stacking is of 
>> course only part of what is required to make this work.
> 
> Interesting. So you're stacking apparmor with itself, and one is the 
> container instance? And you add another stacked apparmor for a 2nd 
> container etc. ?

Yes, on Ubuntu & suse you can lauch lxd system containers with the
container having a system policy bounding the container, and the container
having its own apparmor policy namespace. So it loads and has its own
policy that is enforced.

This allows for us to run older versions of ubuntu (say 16.04) on an
18.04 host, and have the 16.04 policy behave just as if it was the host.

> 
>> Ubuntu actually has a very small apparmor delta these days, and we are 
>> working on eliminating it entirely. There are no patches in Ubuntu that 
>> require new hooks. As for the delta wrt to the stacking work, Ubuntu has 
>> pulled in a subset of this delta and has been shipping kernels with 
>> stacking enabled for 4 releases now and apparmor development is done 
>> with LSM stacking in mind.
> 
> A subset of these patches from Casey?
> 

Yes, we have been testing the and using Casey's patches. The set has
changed from release to release, and we don't usually take all of them.
As we are trying to find the right balance.

For 19.04 we did test the full stack and the decision was to hold off
and give it more testing. The big concern was around the secid changes
which needed more review and testing before we could commit to them.
Instead we cherry-picked the stacking patches from 5.2 and a subset of
the set under review, and reverted the upstream apparmor changes that
require secids.

This approach won't be an option for the 19.10 release and we will be
needing the full patchset. I should be able to provide some benchmark
and testing data soon.

More information about the Linux-security-module-archive mailing list