Apparmor help needed for LXC container

[loscalino]

Hi,
I'm new to AppArmor and need assistance configuring it for an LXC container.

I have Chrome installed in container ID 105, and AppArmor is preventing its internet access.

I have edited /etc/pve/lxc/105.conf and added:
lxc.apparmor.raw: network inet dgram,

which appears correctly in the generated profile:

#cat /var/lib/lxc/105/apparmor/lxc-105_\<-var-lib-lxc\>
...
# Allow remounting things read-only
mount options=(ro,remount),
network inet dgram,
}

But I keep getting the DENIED error:

#dmesg | grep apparmor
...
apparmor="DENIED" operation="create" class="net" namespace="root//lxc-105_<-var-lib-lxc>" profile="chrome" pid=3728266 comm="Chrome_ChildIOT" family="inet" sock_type="dgram" protocol=0 requested="create" denied="create"

What am I missing?
Thanks

 

[aj@root]

Is your primary objective with this particular project to learn about AppArmor, or to just have a Chrome browser without as much OS cruft taking up space?

I ask because LXC has certain guardrails in place that, when you remove them, greatly decrease the security of the container. In this case, you're trying to give Chrome kernel-level networking privileges on the Host kernel.

With the browser also having its own sandbox, this probably isn't going to create a 0-day vuln, but I still wouldn't do it in production - especially since VMs have almost all of the same benefits (other than instant resizing).

If the goal isn't to learn AppArmor config, I'd suggest using a VM for this use case.

• Ubuntu has a cloud init image that's < 600Mb:
  https://cloud-images.ubuntu.com/noble/current/
  (one of the .img files)
• Debian has a cloud image that's a little smaller at < 500Mb:
  https://cdimage.debian.org/images/cloud/bookworm/latest/
  (the .qcow2 file, which would need to be renamed to .img in order to use)
• Alpine has a Generic Cloud Init image that's < 200Mb:
  https://www.alpinelinux.org/cloud/
  (but this only runs Chromium, not Chrome, IIRC)

I'd be happy to explain how to use those if that's something that helps you accomplish your goal.

I have broken AppArmor security for the purpose of testing it out before, but it's not something I'm well-versed in generally, and not something I'd recommend that someone else do other than to learn how to "break the glass", just "for the fun of it".

 

[wave]

Hi,
I'm new to AppArmor and need assistance configuring it for an LXC container.

I have Chrome installed in container ID 105, and AppArmor is preventing its internet access.

I have edited /etc/pve/lxc/105.conf and added:
lxc.apparmor.raw: network inet dgram,

which appears correctly in the generated profile:

#cat /var/lib/lxc/105/apparmor/lxc-105_\<-var-lib-lxc\>
...
# Allow remounting things read-only
mount options=(ro,remount),
network inet dgram,
}

But I keep getting the DENIED error:

#dmesg | grep apparmor
...
apparmor="DENIED" operation="create" class="net" namespace="root//lxc-105_<-var-lib-lxc>" profile="chrome" pid=3728266 comm="Chrome_ChildIOT" family="inet" sock_type="dgram" protocol=0 requested="create" denied="create"

What am I missing?
Thanks

Spent today working on this for myself and a portion of tonight just on this. The fix is:

Inside the container, you have to do the overrides:

#/etc/apparmor.d/local/chrome
network inet  dgram,
network inet6 dgram,
network inet  stream,
network inet6 stream,

Again, that's inside the container, in /etc/apparmor.d/local/chrome.
Then the container can run totally fine!
The container can be unprivileged and has no need for nesting=1 or ANY lxc.apparmor.raw

Context for why is:
"By default, AppArmor denies network access to a confined program unless the profile explicitly allows itforums.whonix.org"
And the default profile, while "unconfined", does not explicitly allow network access.

Tbh I'm not quite sure how this is works on a regular Ubuntu install without issues, but this is working great for me with a full speed Chrome in a container now.