How does AppArmor handle Linux-kernel mount namespaces?

0
votes

I've searched through wiki of AppArmor's wiki as well as tried Internet searches for "apparmor mount namespace" (or similar). However, I always draw a blank as how AppArmor deals with them, which is especially odd considering that OCI containers could not exist without mount namespaces. Does AppArmor take mount namespaces into any account at all, or does it simply check for the filename passed to some syscall?

If a process inside a container switches mount namespaces does AppArmor take notice at all, or is it simply mount namespace-agnostic in that it doesn't care? For instance, if a container process switches into the initial mount namespace, can I write AppArmor MAC rules to prevent such a process from accessing senstive host files, while the same files inside its own container are allowed for access?

2
linuxlinux-namespacesapparmor
So what is your actual problem? - rkosegi
my problem is to understand or know if the AppArmor architecture takes the Linux mount namespace into account or not? - TheDiveO

2 Answers

0
votes

can I write AppArmor MAC rules to prevent such a process from accessing senstive host files.

Just don't give container access to sensitive host filesystem part. That means don't mount them into container. This is out of scope of AppArmor to take care of if you do.

0
votes

I would say that AppArmor is partially linux kernel mount namespace aware. I think the attach_disconnected flag in apparmor is an indication that apparmor knows if you are in the main OS mount namespace or a separate mount namespace.

The attach_disconnected flag is briefly described at this link (despite the warning at the top of the page claiming to be a draft): https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference

The following reference, from a ubuntu apparmor discussion, provides useful and related information although not directly answering your question. https://lists.ubuntu.com/archives/apparmor/2018-July/011722.html

The following references, from a usenix presentation, provides a proposal to add security namespaces to the Linux kernel for use by frameworks such as apparmor. This does not directly show how / if apparmor currently uses kernel mount namespaces for decision making, but it's related enough to be of interest. https://www.usenix.org/sites/default/files/conference/protected-files/security18_slides_sun.pdf https://www.usenix.org/conference/usenixsecurity18/presentation/sun

I don't know if my response here is complete enough to be considered a full answer to your questions, however I don't have enough reputation points to put this into a comment. I also found it difficult to know when the AppArmor documentation meant "apparmor policy namespace" vs "linux kernel mount namespace", when the word "namespace" was specified alone.