Apptainer Ineffective Application of AppArmor and SELinux Security Options Vulnerability

A vulnerability exists in Apptainer versions prior to 1.4.5, allowing containers to disable certain aspects of the '--security' option, specifically '--security=apparmor:<profile>' and '--security=selinux:<label>'. These options are intended to restrict container operations. While the '--security' option is primarily for root users, it can also be used by unprivileged users if the relevant features are enabled on their system. The vulnerability arises because the application of SELinux labels can be misdirected, leaving processes unprotected, and warnings about unavailable security features may be overlooked when Apptainer is run from scripts or automation.

Impact

Failure to properly apply AppArmor and SELinux security labels can lead to unrestricted container operations, potentially allowing malicious activities that could be mitigated by these security features.

Reproduction

To reproduce this vulnerability, run a container with the '--security=selinux:<label>' or '--security=apparmor:<profile>' options on a system where the corresponding feature is enabled. For SELinux, ensure it is active and the label is valid. For AppArmor, verify that the profile exists and is applicable. The vulnerability can be exploited by redirecting the write operation for LSM labels to a non-effective location, such as a dummy file or a no-op procfs file, thereby bypassing the intended security restrictions.

Remediation

Users can update to Apptainer version 1.4.5 or later, where this vulnerability has been addressed. For versions 4.1.11 and 4.3.5, this vulnerability has also been fixed.