Skip to content

Add ptrace readby and tracedby to default AppArmor profile#7714

Merged
fuweid merged 1 commit intocontainerd:mainfrom
hoyosjs:patch-1
Nov 28, 2022
Merged

Add ptrace readby and tracedby to default AppArmor profile#7714
fuweid merged 1 commit intocontainerd:mainfrom
hoyosjs:patch-1

Conversation

@hoyosjs
Copy link
Copy Markdown
Contributor

@hoyosjs hoyosjs commented Nov 23, 2022

Fixes #7695. The default profile allows processes within the container to trace others, but blocks reads/traces. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. seccomp-bpf, yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms to reduce the scopes in which the API can be used. This enables reading from /proc/* files provided the tracer process passes all other checks.

Signed-off-by: Juan Hoyos [email protected]

@hoyosjs
Add ptrace readby and tracedby to default AppArmor profile
8d868da 
Fixes containerd#7695. The default profile allows processes within the container to trace others, but blocks reads/traces. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. seccomp-bpf, yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms to reduce the scopes in which the API can be used. This enables reading from /proc/* files provided the tracer process passes all other checks.

Signed-off-by: Juan Hoyos <[email protected]>
@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Nov 23, 2022

Hi @hoyosjs. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@hoyosjs
Copy link
Copy Markdown
Contributor Author

hoyosjs commented Nov 23, 2022

There's prior cases like this in projects like Moby. e.g.: moby/moby@9e763de

@fuweid fuweid merged commit 4b8002e into containerd:main Nov 28, 2022
@hoyosjs hoyosjs deleted the patch-1 branch November 30, 2022 10:58
@adisky
Copy link
Copy Markdown
Contributor

adisky commented Jun 2, 2023

@AkihiroSuda @fuweid can we cherry-pick this PR to 1.6 release?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@fuweid fuweid fuweid approved these changes

@dcantah dcantah dcantah approved these changes

Assignees

No one assigned

Labels

needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Default AppArmor profile prevents ptrace calls within containers

6 participants

@hoyosjs @k8s-ci-robot @adisky @AkihiroSuda @fuweid @dcantah