Skip to content

Commit 12a4290

Browse files
3XX03XX0
committedMay 8, 2024
Add detection and documentation for Apparmor restrictions
1 parent ccd3210 commit 12a4290

File tree

2 files changed

+26
-16
lines changed

2 files changed

+26
-16
lines changed
 

‎doc/requirements.md

+3
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,9 @@ The following kernel settings must be set accordingly:
4747
* On some distributions (e.g. Archlinux-based, Debian-based)
4848
- `/proc/sys/kernel/unprivileged_userns_clone` must be enabled (equal to 1)
4949

50+
* On some distributions (e.g. Ubuntu-based)
51+
- `/proc/sys/kernel/apparmor_restrict_unprivileged_userns` must be disabled (equal to 0) unless `{datadir}/enroot/apparmor.profile` is installed
52+
5053
## GPU support (optional)
5154

5255
* GPU architecture > 2.1 (Fermi)

‎src/bundle.sh

+23-16
Original file line numberDiff line numberDiff line change
@@ -119,27 +119,27 @@ bundle::verify() {
119119
printf "\n%s\n\n" "$(common::fmt bold "Kernel configuration:")"
120120
for param in CONFIG_NAMESPACES CONFIG_USER_NS CONFIG_SECCOMP_FILTER; do
121121
if zgrep -q "${param}=y" "${conf}"; then
122-
printf "%-34s: %s\n" "${param}" "$(common::fmt green "OK")"
122+
printf "%-45s: %s\n" "${param}" "$(common::fmt green "OK")"
123123
elif zgrep -q "${param}=m" "${conf}"; then
124-
printf "%-34s: %s\n" "${param}" "$(common::fmt green "OK (module)")"
124+
printf "%-45s: %s\n" "${param}" "$(common::fmt green "OK (module)")"
125125
else
126-
printf "%-34s: %s\n" "${param}" "$(common::fmt red "KO")"
126+
printf "%-45s: %s\n" "${param}" "$(common::fmt red "KO")"
127127
fi
128128
done
129129
for param in CONFIG_OVERLAY_FS; do
130130
if zgrep -q "${param}=y" "${conf}"; then
131-
printf "%-34s: %s\n" "${param}" "$(common::fmt green "OK")"
131+
printf "%-45s: %s\n" "${param}" "$(common::fmt green "OK")"
132132
elif zgrep -q "${param}=m" "${conf}"; then
133-
printf "%-34s: %s\n" "${param}" "$(common::fmt green "OK (module)")"
133+
printf "%-45s: %s\n" "${param}" "$(common::fmt green "OK (module)")"
134134
else
135-
printf "%-34s: %s\n" "${param}" "$(common::fmt yellow "KO (optional)")"
135+
printf "%-45s: %s\n" "${param}" "$(common::fmt yellow "KO (optional)")"
136136
fi
137137
done
138138
for param in CONFIG_X86_VSYSCALL_EMULATION CONFIG_VSYSCALL_EMULATE CONFIG_VSYSCALL_NATIVE; do
139139
if zgrep -q "${param}=y" "${conf}"; then
140-
printf "%-34s: %s\n" "${param}" "$(common::fmt green "OK")"
140+
printf "%-45s: %s\n" "${param}" "$(common::fmt green "OK")"
141141
else
142-
printf "%-34s: %s\n" "${param}" "$(common::fmt yellow "KO (required if glibc <= 2.13)")"
142+
printf "%-45s: %s\n" "${param}" "$(common::fmt yellow "KO (required if glibc <= 2.13)")"
143143
fi
144144
done
145145
@@ -148,36 +148,43 @@ bundle::verify() {
148148
centos7*|rhel7*|ol7*)
149149
for param in "namespace.unpriv_enable=1" "user_namespace.enable=1"; do
150150
if grep -q "${param}" /proc/cmdline; then
151-
printf "%-34s: %s\n" "${param}" "$(common::fmt green "OK")"
151+
printf "%-45s: %s\n" "${param}" "$(common::fmt green "OK")"
152152
else
153-
printf "%-34s: %s\n" "${param}" "$(common::fmt red "KO")"
153+
printf "%-45s: %s\n" "${param}" "$(common::fmt red "KO")"
154154
fi
155155
done
156156
esac
157157
for param in "vsyscall=native" "vsyscall=emulate"; do
158158
if grep -q "${param}" /proc/cmdline; then
159-
printf "%-34s: %s\n" "${param}" "$(common::fmt green "OK")"
159+
printf "%-45s: %s\n" "${param}" "$(common::fmt green "OK")"
160160
else
161-
printf "%-34s: %s\n" "${param}" "$(common::fmt yellow "KO (required if glibc <= 2.13)")"
161+
printf "%-45s: %s\n" "${param}" "$(common::fmt yellow "KO (required if glibc <= 2.13)")"
162162
fi
163163
done
164164
165165
printf "\n%s\n\n" "$(common::fmt bold "Kernel parameters:")"
166166
for param in "kernel/unprivileged_userns_clone" "user/max_user_namespaces" "user/max_mnt_namespaces"; do
167167
if [ -f "/proc/sys/${param}" ]; then
168168
if [ "$(< /proc/sys/${param})" -gt 0 ]; then
169-
printf "%-34s: %s\n" "${param/\//.}" "$(common::fmt green "OK")"
169+
printf "%-45s: %s\n" "${param/\//.}" "$(common::fmt green "OK")"
170170
else
171-
printf "%-34s: %s\n" "${param/\//.}" "$(common::fmt red "KO")"
171+
printf "%-45s: %s\n" "${param/\//.}" "$(common::fmt red "KO")"
172172
fi
173173
fi
174174
done
175+
param="kernel/apparmor_restrict_unprivileged_userns"; if [ -f "/proc/sys/${param}" ]; then
176+
if [ "$(< /proc/sys/${param})" -eq 0 ]; then
177+
printf "%-45s: %s\n" "${param/\//.}" "$(common::fmt green "OK")"
178+
else
179+
printf "%-45s: %s\n" "${param/\//.}" "$(common::fmt yellow "KO (required w/o apparmor profile)")"
180+
fi
181+
fi
175182
176183
printf "\n%s\n\n" "$(common::fmt bold "Extra packages:")"
177184
if command -v "nvidia-container-cli" > /dev/null; then
178-
printf "%-34s: %s\n" "nvidia-container-cli" "$(common::fmt green "OK")"
185+
printf "%-45s: %s\n" "nvidia-container-cli" "$(common::fmt green "OK")"
179186
else
180-
printf "%-34s: %s\n" "nvidia-container-cli" "$(common::fmt yellow "KO (required for GPU support)")"
187+
printf "%-45s: %s\n" "nvidia-container-cli" "$(common::fmt yellow "KO (required for GPU support)")"
181188
fi
182189
183190
exit 0

0 commit comments

Comments
 (0)