compat: skip AppArmor profile assignment when service runs inside a container#29056
Conversation
Signed-off-by: Mohataseem Khan <mohataseem89@gmail.com>
Luap99
left a comment
There was a problem hiding this comment.
That is just not a valid option from a security POV, we cannot just ignore existing profiles, either the profile works or it does not. If this needs additional policy change to work fine, but we cannot just say unconfined and ignore this without the caller knowing that they are not protected by it.
This also does not explain at all why this would only be specific to the compat API. There is not special handing for apparmor with the API here
also please note https://github.com/podman-container-tools/podman/blob/main/LLM_POLICY.md
And at minimum details also must be part of the commit message not just a PR description.
And it would help if you follow our PR template instead of this AI format.
|
Closing this @Luap99 is right that silently setting unconfined is a bad security tradeoff.ig the podman-container-tools/container-libs/pull/942 fix (adding change_profile to the profile template) is the right approach. Will focus there instead |
Problem
On kernel 6.17, starting a container via the Docker-compat API
(
docker compose/dockerCLI pointed at the podman socket) frominside a systemd/Quadlet-launched container fails with:
The container is created but stuck in
Createdstate. Nativepodman runon the host works fine.podman --remotealso works.Only the compat API path from inside a confined systemd/Quadlet
container fails.
Root cause: when no
apparmor=SecurityOpt is sent by the Dockerclient, the compat path falls through to the
containers-default-*profile from
containers.conf. On kernel 6.17, crun's write to/proc/thread-self/attr/apparmor/execis blocked by the outercontainer's AppArmor policy, which does not permit
change_profile.Fix
When
/run/.containerenvis present (podman sets this inside everycontainer) and the client sent no explicit
apparmor=SecurityOpt,inject
apparmor=unconfinedso crun skips the profile-assignmentwrite entirely.
Users who need a specific AppArmor profile can still pass
--security-opt apparmor=<profile>explicitly.The proper upstream fix (adding
change_profile -> **,to thecontainers-defaultprofile template) is in containers/common:containers/common#2548
containers/common/pull/2548
References
apparmor: allow change_profile for nested container runtimes containers/common#2548
apparmor: allow change_profile for nested container runtimes container-libs#942