AppArmor 简介:
cat /etc/apparmor.d/test-deny-write
#include <tunables/global>
profile test-deny-write flags=(attach_disconnected) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
}
已加载:
sudo apparmor_parser --Complain test-deny-write
sudo aa-status
apparmor module is loaded.
38 profiles are loaded.
31 profiles are in enforce mode.
/snap/snapd/20290/usr/lib/snapd/snap-confine
/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/chronyd
/usr/sbin/tcpdump
/{,usr/}sbin/dhclient
cri-containerd.apparmor.d
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.google-cloud-cli
snap-update-ns.lxd
snap.lxd.activate
snap.lxd.benchmark
snap.lxd.buginfo
snap.lxd.check-kernel
snap.lxd.daemon
snap.lxd.hook.configure
snap.lxd.hook.install
snap.lxd.hook.remove
snap.lxd.lxc
snap.lxd.lxc-to-lxd
snap.lxd.lxd
snap.lxd.migrate
7 profiles are in complain mode.
snap.google-cloud-cli.anthoscli
snap.google-cloud-cli.bq
snap.google-cloud-cli.docker-credential-gcloud
snap.google-cloud-cli.gcloud
snap.google-cloud-cli.gsutil
snap.google-cloud-cli.kubectl
test-deny-write
13 processes have profiles defined.
13 processes are in enforce mode.
/usr/sbin/chronyd (1376)
/usr/sbin/chronyd (1377)
/metrics-server (12860) cri-containerd.apparmor.d
/usr/bin/dumb-init (13041) cri-containerd.apparmor.d
/nginx-ingress-controller (13053) cri-containerd.apparmor.d
/manager (13086) cri-containerd.apparmor.d
/usr/local/nginx/sbin/nginx (13114) cri-containerd.apparmor.d
/manager (13136) cri-containerd.apparmor.d
/usr/local/nginx/sbin/nginx (13155) cri-containerd.apparmor.d
/usr/local/nginx/sbin/nginx (13156) cri-containerd.apparmor.d
/usr/local/nginx/sbin/nginx (13157) cri-containerd.apparmor.d
/manager (13250) cri-containerd.apparmor.d
/manager (13565) cri-containerd.apparmor.d
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Pod 定义:
cat n.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: localhost/test-deny-write
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
dnsPolicy: ClusterFirst
restartPolicy: Always
kubectl apply -f n.yaml
pod/nginx created
kubectl get pods
NAME READY STATUS RESTARTS AGE
...
nginx 0/1 CrashLoopBackOff 1 (3s ago) 7s
kubectl logs nginx
/docker-entrypoint.sh: 13: cannot create /dev/null: Permission denied
/docker-entrypoint.sh: No files found in /docker-entrypoint.d/, skipping configuration
2024/01/06 11:27:50 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
现在,尽管配置文件是在投诉模式下加载的,但 AppArmor 仍可在强制模式下工作。使其以投诉模式而不是强制模式工作的唯一方法是将配置文件定义从拒绝更改为审核:
...
audit /** w,
...
然后再次在模式下重新加载配置文件--Complain。这将使 pod 启动并且事件得到审核:
kubectl logs nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/01/06 11:36:57 [notice] 1#1: using the "epoll" event method
2024/01/06 11:36:57 [notice] 1#1: nginx/1.25.3
2024/01/06 11:36:57 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14)
2024/01/06 11:36:57 [notice] 1#1: OS: Linux 5.15.0-1047-gcp
2024/01/06 11:36:57 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2024/01/06 11:36:57 [notice] 1#1: start worker processes
2024/01/06 11:36:57 [notice] 1#1: start worker process 29
2024/01/06 11:36:57 [notice] 1#1: start worker process 30
kubectl exec -it nginx -- sh
# echo a > a.log
sudo dmesg
...
[ 1943.792266] audit: type=1400 audit(1704541508.355:101): apparmor="AUDIT" operation="open" profile="test-deny-write" name="/dev/tty" pid=16159 comm="sh" requested_mask="w" fsuid=0 ouid=0
[ 1950.228525] audit: type=1400 audit(1704541514.792:102): apparmor="AUDIT" operation="mknod" profile="test-deny-write" name="/a.log" pid=16159 comm="sh" requested_mask="c" fsuid=0 ouid=0
[ 1950.234413] audit: type=1400 audit(1704541514.800:103): apparmor="AUDIT" operation="open" profile="test-deny-write" name="/a.log" pid=16159 comm="sh" requested_mask="wc" fsuid=0 ouid=0
但这违背了抱怨模式的目的。
系统详细信息:
uname -a
Linux node-qf1h 5.15.0-1047-gcp #55~20.04.1-Ubuntu SMP Wed Nov 15 11:38:25 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
kubectl version
Client Version: v1.28.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.0
AppArmor 文档在这里没有什么帮助: https://gitlab.com/apparmor/apparmor/-/wikis/Complain-Mode
投诉模式
学习应用行为TODO
投诉模式和拒绝规则
一些版本的 apparmor 损坏....TODO
这是 AppArmor 错误吗,还是我遗漏了什么?
答案1
你没有在个人资料中添加投诉
#include <tunables/global>
profile test-deny-write flags=(attach_disconnected) {
complain,
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
}
正如您所看到的,complain,您的配置中缺少该行。该行complain,用于指定此配置文件应在投诉模式下运行
答案2
该--complain标志有效,并影响容器主机上配置文件的执行,直到您重新启动它或重新加载配置文件。
该--complain标志不会影响您的 pod,因为您正在使用的容器管理器会专门为该 pod 重新加载配置文件。
您可以使用aa-complain设置配置文件来以投诉模式运行,以便在重新启动、重新加载和 pod 后继续运行。