[PATCH 00/58] LSM: Module stacking for AppArmor
John Johansen
john.johansen at canonical.com
Wed Jun 5 21:43:29 UTC 2019
On 6/5/19 1:53 PM, James Morris wrote:
> On Tue, 4 Jun 2019, John Johansen wrote:
>
>> Yes, on Ubuntu & suse you can lauch lxd system containers with the
>> container having a system policy bounding the container, and the container
>> having its own apparmor policy namespace. So it loads and has its own
>> policy that is enforced.
>>
>> This allows for us to run older versions of ubuntu (say 16.04) on an
>> 18.04 host, and have the 16.04 policy behave just as if it was the host.
>
> How well does the LSM stacking scale to 100s or more containers?
>
Actually really well,
The cost isn't really based on how many containers but how many LSMs
are registered and how nested we are.
How we are currently handling it is apparmor is registered once, and
it is responsible for looping on its bounding. So for tasks that are
not in the container there is no additional cost.
For tasks in the first container, there is an extra cost of enforcing
the extra layer of apparmor policy loaded in the container. If you do
container in container there are two extra levels of apparmor policy.
This does rely on apparmor doing its own namespacing and bounding. LSM
stacking just allows us to start doing this with apparmor containers
on smack and selinux based systems.
>> This approach won't be an option for the 19.10 release and we will be
>> needing the full patchset. I should be able to provide some benchmark
>> and testing data soon.
>
> Great.
>
More information about the Linux-security-module-archive
mailing list