[Перевод] От capabilities к AppArmor: что реально остановит атакующего в контейнере

Скомпрометированный контейнер — это момент истины для всех настроек безопасности: злоумышленник уже внутри, команды выполняются, и дальше важно понять, что действительно ограничит его действия. В этой статье на одной рабочей нагрузке разбирается, как capabilities, seccomp и AppArmor закрывают разные участки атаки в Kubernetes, где каждый механизм упирается в свои пределы и почему защита контейнеров работает только как набор слоёв. Разобрать защиту

https://habr.com/ru/companies/otus/articles/1039572/

#безопасность_Kubernetes #безопасность_контейнеров #container_security #capabilities #seccomp #LSM #AppArmor #securityContext #защита_кластера

After some reflection... I've decided to stick with #ubuntu for another two years and have upgraded all my machines (3 desktops, 4 servers) to 26.04 by doing:

$ sudo do-release-upgrade -d

On the desktop side, things went pretty smoothly and I only had to do the following after the update completed:

1. Resolve some configuration file conflicts, notably rsnapshot, nginx, and grub. For these, mostly used vimdiff afterwards to merge the maintainer's version into the local file.

2. Update apt sources in /etc/apt/sources.list.d. During upgraded, all third party repos are disabled and so afterwards, I had to go and re-enable or update them. Fortunately, I only had a few: google (chrome), steam, and weechat.

3. After updating, Ubuntu pro was not enabled for some reason (though I was enrolled and registered). To fix this, I did: "sudo pro enable livepatch" which also enabled the ESM repos.

That said, not everything was perfect:

1. On my laptop with a 1080p LCD, the default scaling was set to 125% instead of 100% due to it being a smaller screen (14in physically). I did not appreciate this... but I think once you set it to 100% it will be remembered.

2. The OSD for switching inputs is too small and so the text is truncated as shown in the video

3. Epiphany (aka #gnome web) was only version 49 and the font rendering was... blurry. Because of this, I switched back to #firefox (crazy I know) both on the desktop and mobile.

4. I am not a fan of the new default terminal ptyxis, so I installed #ghostty and am using that instead. My issues with ptyxis is that the window decoration does not follow the default color scheme and that it tries to do a bit too much. I did make a custom palette for ptyxis but it still did not behave right (ie. dimming), so I'm just using #ghostty (despite it having a bug with opening off centered with custom window width/height).

On the server side, the upgrades appeared to be fine... until I realized things were not working. In particular a few services stopped working due to #apparmor

1. I had to write a custom apparmor profile for mbsync as shown below.

2. For wireguard and znc, I could not figure out how to write an appropriate apparmor profile, so I installed apparmor-utils and then did "sudo aa-complain" on the corresponding apparmor profiles to put them in complain mode (ie. audit but don't enforce)

I think this last part (the stricter apparmor profiles) will probably bite a lot of people... particularly if you tend to use custom file locations for data and configs, so be warned!

Despite these hiccups, things appear to be running smoothly for now... :}

Firefox crashes after replacing snap with APT build on Ubuntu 26.04 LTS - Sandbox: CanCreateUserNamespace() EPERM, Wayland bind error, AppArmor denial #firefox #wayland #apparmor #2604

https://askubuntu.com/q/1566816/612

CVE-2026-23409: infinite loop in AppArmor unpacking via crafted policy. Two bugs in state verification logic. Requires CAP_MAC_ADMIN but trivial DoS once you have it. Patch in 6.13-rc1. Update now if you use AppArmor. #CVE #LinuxKernel #AppArmor

https://www.valtersit.com/cve/2026/04/cve-2026-23409/

AppArmor 5.0 porta sicurezza Linux a un nuovo livello con policy più flessibili 🔐 #Linux #Security #AppArmor #OpenSource

https://www.linuxeasy.org/apparmor-5-0-migliora-la-sicurezza-su-linux-con-policy-piu-avanzate/?utm_source=mastodon&utm_medium=jetpack_social

Компания Qualys сообщила о девяти уязвимостях в AppArmor и объединила находки под названием CrackArmor.

https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root

Проблема появилась ещё в 2017 году вместе с ядром Linux версии 4.11.

AppArmor входит в ядро Linux и выполняет роль обязательного контроля доступа. Механизм ограничивает возможности отдельных программ, не позволяя приложениям читать чужие файлы, выполнять опасные системные вызовы или получать дополнительные права.

CrackArmor позволяет локальному пользователю без прав root-а манипулировать профилями безопасности через специальные псевдофайлы в каталоге /sys/kernel/security/apparmor/. В результате атакующий способен повысить привилегии до уровня root.

До появления патчей необходимо контролировать изменения в каталоге `/sys/kernel/security/apparmor/`, поскольку подозрительная модификация профилей может указывать на попытку эксплуатации уязвимости.

https://www.securitylab.ru/news/570418.php

#Linux #apparmor #crackarmor #vulnerability