Apparmor unprivileged restrictions disable #327
Conversation
Signed-off-by: Simon Deziel <[email protected]>
Signed-off-by: Simon Deziel <[email protected]>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This was tested in a local 24.04 VM like this: So the keys have their default values before starting LXD's daemon. So LXD noticed that And LXD behaves fine: And now to prevent LXD from disabling the Apparmor restriction: |
|
I forgot to test setting the config key to the non-default value. Update: |
Signed-off-by: Simon Deziel <[email protected]>
Signed-off-by: Simon Deziel <[email protected]>
…le cat Signed-off-by: Simon Deziel <[email protected]>
…sable in config Signed-off-by: Simon Deziel <[email protected]>
…ions_disable config before disabling related sysctl Signed-off-by: Simon Deziel <[email protected]>
|
@tomponline this time, setting the (new) key to its non-default value ( |
| @@ -45,11 +45,11 @@ description: |- | |||
| - lxcfs.loadavg: Start tracking per-container load average [default=false] | |||
| - lxcfs.cfs: Consider CPU shares for CPU usage [default=false] | |||
| - lxcfs.debug: Increase logging to debug level [default=false] | |||
| - minio.path: Path to the minio binary to use with LXD [default=""] | |||
There was a problem hiding this comment.
@masnax in a separate PR please can you update description of this setting to make it clear its the path to the directory containing the minio and mc commands thanks
simondeziel
force-pushed
the
apparmor-unprivileged-restrictions-disable
branch
from
e84c668 to
170c835
Compare
At the distro level, Ubuntu 24.04 LTS should ship with additional restrictions preventing unconfined processes from creating userns by default.
The long term goal is for LXD to play nice with those additional restrictions but since a lots of moving parts are involved (kernel, kernel config, apparmor parser, core24 snap, snapd and LXD itself) and not fully ready yet, we decided on disabling those restrictions globally by default in the short term. This decision also took into consideration that LXD needs to work across many distros and versions (Debian w/ Apparmor, old Ubuntu version, old Ubuntu version with HWE kernel, etc).
This PR thus introduce a new
snap configkey (apparmor.unprivileged-restrictions-disable) that in its default value (true) causes LXD to setkernel.apparmor_restrict_unprivileged_userns=0andkernel.apparmor_restrict_unprivileged_unconfined=0thus disabling the new restrictions.For additional information on those new restrictions, see https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces and https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626.
This PR reintroduced bits of #175.