github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

apparmor: add signal (receive) peer=/usr/local/bin/rootlesskit,

Browse Source 
Fix containerd/nerdctl issue 2730
> [Rootless] `nerdctl rm` fails when AppArmor is loaded:
> `error="unknown error after kill: runc did not terminate successfully: exit status 1:
> unable to signal init: permission denied\n: unknown"`

Caused by:
> kernel: audit: type=1400 audit(1713840662.766:122): apparmor="DENIED" operation="signal" class="signal"
> profile="nerdctl-default" pid=366783 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
> peer="/usr/local/bin/rootlesskit"

The issue is known to happen on Ubuntu 23.10 and 24.04 LTS.
Doesn't seem to happen on Ubuntu 22.04 LTS.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2024-04-23 12:21:22 +09:00
parent 1412a255ec
commit eb5a0c04b4
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
contrib/apparmor/template.go
View File

@ -29,6 +29,8 @@ import (
"path" "path"
"strings" "strings"
"text/template" "text/template"
"github.com/containerd/log"
) )
// NOTE: This code is copied from <github.com/docker/docker/profiles/apparmor>. // NOTE: This code is copied from <github.com/docker/docker/profiles/apparmor>.
@ -57,6 +59,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
signal (receive) peer={{.DaemonProfile}}, signal (receive) peer={{.DaemonProfile}},
# Container processes may send signals amongst themselves. # Container processes may send signals amongst themselves.
signal (send,receive) peer={{.Name}}, signal (send,receive) peer={{.Name}},
{{if .RootlessKit}}
# https://github.com/containerd/nerdctl/issues/2730
signal (receive) peer={{.RootlessKit}},
{{end}}
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/** # deny write to files not in /proc/<number>/** or /proc/sys/**
@ -90,6 +96,7 @@ type data struct {
Imports []string Imports []string
InnerImports []string InnerImports []string
DaemonProfile string DaemonProfile string
RootlessKit string
} }
func cleanProfileName(profile string) string { func cleanProfileName(profile string) string {
@ -125,6 +132,16 @@ func loadData(name string) (*data, error) {
} }
p.DaemonProfile = cleanProfileName(string(currentProfile)) p.DaemonProfile = cleanProfileName(string(currentProfile))
// If we were running in Rootless mode, we could read `/proc/$(cat ${ROOTLESSKIT_STATE_DIR}/child_pid)/exe`,
// but `nerdctl apparmor load` has to be executed as the root.
// So, do not check ${ROOTLESSKIT_STATE_DIR} (nor EUID) here.
p.RootlessKit, err = exec.LookPath("rootlesskit")
if err != nil {
log.L.WithError(err).Debug("apparmor: failed to determine the RootlessKit binary path")
p.RootlessKit = ""
}
log.L.Debugf("apparmor: RootlessKit=%q", p.RootlessKit)
return &p, nil return &p, nil
} }