fix(apparmor): forbid breaking out of confinement with ssh again#7255
fix(apparmor): forbid breaking out of confinement with ssh again#7255okurz wants to merge 1 commit intoos-autoinst:masterfrom
Conversation
|
Maybe a stupid question: Don't certain backends need to make SSH connections? I suppose they don't do them via the I guess it makes generally sense to trim down the number of executables to a minimum but the title "forbid breaking out of confinement" makes it sound like this is about a specific attack vector being prevented here (SSH connections in general). |
Vogtinator
left a comment
Vogtinator
left a comment
There was a problem hiding this comment.
This will break ssh backends again
They actually do: The worker spawns Xvnc, with icewm and xterm-console inside, then runs ssh. 4ec6f2a was necessary to make this work again.
Correct. Any code, including test code can just connect to whereever using TCP sockets. |
| /proc/*/fd/ r, | ||
| /proc/filesystems r, | ||
| /proc/meminfo r, | ||
| /usr/bin/ssh rix, |
Let's verify this properly then. https://openqa.opensuse.org/tests/5827767 is the test that was used to verify #7249 - are there other cases we should consider? |
That should work, also svirt, pvm and generalhw. Also any git repo referenced through e.g. |
Of course. See #7255 (comment)
What "improvement" do you mean? I am trying to break a security regression from 4ec6f2a
please read the commit message and tell me where I can phrase it better. This PR is intended to be a security regression fix, not a general improvement. |
Martchus
left a comment
Martchus
left a comment
There was a problem hiding this comment.
Then I don't get what regression this fixes considering code can make SSH connections anyway (e.g. using libopenssh directly or some custom implementation).
Considering @Vogtinator's comments this will even break existing tests and allows using ssh in the wrong place.
You should know even better. We have apparmor enforced in o3 except for https://progress.opensuse.org/projects/openqav3/wiki/#o3-s390-and-other-eg-bare-metal-workers-running-as-podman-containers-on-o3-worker-openqaworker23 . And we don't enforce apparmor within the whole OSD domain. Why is that then? |
The apparmor denials caused failures in the containerized workers and adjusting the policy on ow23 (the container host!) made it work again. Not sure which part of that is intentional. In any case, the tests should work even outside of containers, like on local workstations with apparmor enabled. |
That all sounds nice and dandy but doesn't explain why someone (not me) made the decision that o3 can have enforced apparmor profiles for all standard qemu workers, apparmor disabled but confined in containers in o3 for non-qemu and no apparmor enabled at all within OSD |
This fixes a security regression introduced in 4ec6f2a allowing to execute ssh globally in the complete worker process. Allowing to ssh out from the main worker process would deny most of the confinement benefit of using apparmor. Related to os-autoinst#7249 (comment)
It's enabled on all workers FWICT? For the container workers I suspect the difference in behaviour started with Leap 16. Maybe some product regression there (the container engines no longer support AppArmor?).
Would be nice if that could change. |
6 participants
This fixes a security regression introduced in 4ec6f2a allowing to
execute ssh globally in the complete worker process. Allowing to ssh out
from the main worker process would deny most of the confinement benefit
of using apparmor.
Related to
#7249 (comment)