Merge pull request containerd#159 from mikebrow/apparmor-feature

Adds support for AppArmor

Author: Random-Liu

.travis.yml

@@ -14,6 +14,7 @@ install:
     - sudo apt-get install btrfs-tools
     - sudo apt-get install libseccomp2/trusty-backports
     - sudo apt-get install libseccomp-dev/trusty-backports
+    - sudo apt-get install libapparmor-dev
     - sudo apt-get install socat
     - docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter
 

Makefile

@@ -42,7 +42,7 @@ help:
 	@echo " * 'clean'          - Clean artifacts"
 	@echo " * 'verify'         - Execute the source code verification tools"
 	@echo " * 'install.tools'  - Install tools used by verify"
-	@echo " * 'install.deps'   - Install dependencies of cri-containerd (containerd, runc, cni)"
+	@echo " * 'install.deps'   - Install dependencies of cri-containerd (containerd, runc, cni) Note: BUILDTAGS defaults to 'seccomp apparmor' for runc build"
 	@echo " * 'uninstall'      - Remove installed binaries from system locations"
 	@echo " * 'version'        - Print current cri-containerd release version"
 

README.md

@@ -26,9 +26,12 @@ will also do our best to update `cri-containerd` to the latest releases of these
 specifications as appropriate.
 ### Install Dependencies
 1. Install runc dependencies.
-* runc requires installation of the libsecomp development library appropriate for your distribution. `libseccomp-dev` (Ubuntu, Debian) / `libseccomp-devel` (Fedora, CentOS, RHEL). On releases of Ubuntu <=Trusty and Debian <=jessie a backport version of
-`libsecomp-dev` is required. See [travis.yml](.travis.yml) for an example on
-trusty.
+* runc requires installation of the libsecomp development library appropriate
+for your distribution. `libseccomp-dev` (Ubuntu, Debian) / `libseccomp-devel`
+(Fedora, CentOS, RHEL). On releases of Ubuntu <=Trusty and Debian <=jessie a
+backport version of `libsecomp-dev` is required. See [travis.yml](.travis.yml)
+for an example on trusty. To use apparmor on Debian, Ubuntu, and related
+distributions runc requires the installation of `libapparmor-dev`.
 2. Install containerd dependencies.
 * containerd requires installation of a btrfs development library. `btrfs-tools`(Ubuntu, Debian) / `btrfs-progs-devel`(Fedora, CentOS, RHEL)
 3. Install other dependencies:

hack/install-deps.sh

@@ -41,7 +41,8 @@ go get -d ${RUNC_PKG}/...
 cd ${GOPATH}/src/${RUNC_PKG}
 git fetch --all
 git checkout ${RUNC_VERSION}
-make
+BUILDTAGS=${BUILDTAGS:-seccomp apparmor}
+make BUILDTAGS="$BUILDTAGS"
 sudo make install
 which runc
 

hack/test-e2e-node.sh

@@ -20,7 +20,6 @@ source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh
 
 DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
 DEFAULT_SKIP+="|querying\s\/stats\/summary"
-DEFAULT_SKIP+="|AppArmor"
 DEFAULT_SKIP+="|pull\sfrom\sprivate\sregistry\swith\ssecret"
 
 # FOCUS focuses the test to run.

hack/versions

@@ -1,5 +1,5 @@
 RUNC_VERSION=e775f0fba3ea329b8b766451c892c41a3d49594d
 CNI_VERSION=v0.6.0
-CONTAINERD_VERSION=f05281743e5ac9ad11c6e19a72be7a903eab79f5
+CONTAINERD_VERSION=c1c2aafffec89aefaff2ba80b81be2277b2903dd
 CRITEST_VERSION=d452f7fe9ef7ccc5ec63a8306cf838510cb83441
-KUBERNETES_VERSION=493ee8b28560c118cebd2165ba9ef0959cfa2bc3
+KUBERNETES_VERSION=aa9417ce910a7f508c9e8575263c2b280343a704

pkg/server/container_create.go

@@ -22,6 +22,7 @@ import (
 	"time"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/contrib/apparmor"
 	"github.com/golang/glog"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/runc/libcontainer/devices"
@@ -37,6 +38,17 @@ import (
 	"github.com/kubernetes-incubator/cri-containerd/pkg/util"
 )
 
+const (
+	// profileNamePrefix is the prefix for loading profiles on a localhost. Eg. AppArmor localhost/profileName.
+	profileNamePrefix = "localhost/" // TODO (mikebrow): get localhost/ & runtime/default from CRI kubernetes/kubernetes#51747
+	// runtimeDefault indicates that we should use or create a runtime default apparmor profile.
+	runtimeDefault = "runtime/default"
+	// appArmorDefaultProfileName is name to use when creating a default apparmor profile.
+	appArmorDefaultProfileName = "cri-containerd.apparmor.d"
+	// appArmorEnabled is a flag for globally enabling/disabling apparmor profiles for containers.
+	appArmorEnabled = true // TODO (mikebrow): make these apparmor defaults configurable
+)
+
 // CreateContainer creates a new container in the given PodSandbox.
 func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.CreateContainerRequest) (_ *runtime.CreateContainerResponse, retErr error) {
 	config := r.GetConfig()
@@ -156,6 +168,23 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 	if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
 		specOpts = append(specOpts, containerd.WithUsername(username))
 	}
+	// Set apparmor profile, (privileged or not) if apparmor is enabled
+	if appArmorEnabled {
+		appArmorProf := config.GetLinux().GetSecurityContext().GetApparmorProfile()
+		switch appArmorProf {
+		case runtimeDefault:
+			// TODO (mikebrow): delete created apparmor default profile
+			specOpts = append(specOpts, apparmor.WithDefaultProfile(appArmorDefaultProfileName))
+		case "":
+			// TODO (mikebrow): handle no apparmor profile case see kubernetes/kubernetes#51746
+		default:
+			// Require and Trim default profile name prefix
+			if !strings.HasPrefix(appArmorProf, profileNamePrefix) {
+				return nil, fmt.Errorf("invalid apparmor profile %q", appArmorProf)
+			}
+			specOpts = append(specOpts, apparmor.WithProfile(strings.TrimPrefix(appArmorProf, profileNamePrefix)))
+		}
+	}
 	opts = append(opts,
 		containerd.WithSpec(spec, specOpts...),
 		containerd.WithRuntime(defaultRuntime, nil),
@@ -264,9 +293,7 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 			return nil, fmt.Errorf("failed to set capabilities %+v: %v",
 				securityContext.GetCapabilities(), err)
 		}
-
-		// TODO(random-liu): [P2] Add apparmor and seccomp.
-
+		// TODO(random-liu): [P2] Add seccomp not privileged only.
 	}
 
 	g.SetProcessSelinuxLabel(processLabel)
@@ -275,7 +302,7 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 	// TODO: Figure out whether we should set no new privilege for sandbox container by default
 	g.SetProcessNoNewPrivileges(securityContext.GetNoNewPrivs())
 
-	// TODO(random-liu): [P1] Set selinux options.
+	// TODO(random-liu): [P1] Set selinux options (privileged or not).
 
 	g.SetRootReadonly(securityContext.GetReadonlyRootfs())
 

pkg/server/sandbox_run.go

@@ -294,7 +294,9 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 		g.AddLinuxSysctl(key, value)
 	}
 
-	// TODO(random-liu): [P2] Set apparmor and seccomp from annotations.
+	// TODO(random-liu): [P2] Set seccomp
+
+	// Note: LinuxSandboxSecurityContext does not currently provide an apparmor profile
 
 	g.SetLinuxResourcesCPUShares(uint64(defaultSandboxCPUshares))
 	g.SetProcessOOMScoreAdj(int(defaultSandboxOOMAdj))

vendor.conf

@@ -47,15 +47,16 @@ github.com/syndtr/gocapability e7cb7fa329f456b3855136a2642b197bad7366ba
 github.com/ugorji/go ded73eae5db7e7a0ef6f55aace87a2873c5d2b74
 golang.org/x/net 7dcfb8076726a3fdd9353b6b8a1f1b6be6811bd6
 golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
-golang.org/x/sys 739734461d1c916b6c72a63d7efda2b27edb369f
+golang.org/x/sys b892924b68aa53038e8a55b255ee0d8391e8eec5
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
 google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 google.golang.org/grpc v1.3.0
 gopkg.in/inf.v0 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4
 gopkg.in/yaml.v2 53feefa2559fb8dfa8d81baad31be332c97d6c77
-k8s.io/api c0bcfdc3597be1a899c9f0b4e3d1b2e023b5148f
-k8s.io/apimachinery dc1f89aff9a7509782bde3b68824c8043a3e58cc
-k8s.io/apiserver 149fc2228647cea28b0670c240ec582e985e8eda
-k8s.io/client-go 2103a0e46b61d837aca715a6da810783527a4974
-k8s.io/kubernetes 493ee8b28560c118cebd2165ba9ef0959cfa2bc3
+k8s.io/api f30e293246921de7f4ee46bb65b8762b2f890fc4
+k8s.io/apimachinery b166f81f5c4c88402ae23a0d0944c6ad08bffd3b
+k8s.io/apiserver b2a8ad67a002d27c8945573abb80b4be543f2a1f
+k8s.io/client-go db8228460e2de17f5d3a9a453f61dde0ba86545a
+k8s.io/kubernetes aa9417ce910a7f508c9e8575263c2b280343a704
 k8s.io/utils 1f5ba483856f60b34bb29864d4129a8065d1c83b
+k8s.io/kube-openapi 2fbf05e337e56c983d9df1220b9e67cf132a1669 https://github.com/kubernetes/kube-openapi.git