[apparmor] Apparmor and Docker - capabilities and network flags not working

werner_kienzler werner_kienzler at protonmail.com
Sat May 21 21:55:40 UTC 2022 

Hello,

I try to use AppArmor in conjunction with docker, as in the example explained in the docker docs:
https://docs.docker.com/engine/security/apparmor/

I want to describe my problems with this example. I copied over the example policy from this website to

/etc/apparmor.d/docker-nginx

Then I parsed the profile:
$ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx

and "aa-status" shows, that the profile is loaded.
Starting docker like:

$ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name apparmor-nginx nginx

Works like expected - "aa-status" shows, that the resulting docker processes are confined and if I do e.g.
$ sudo docker container exec -it apparmor-nginx dash

I'm ending in a shell (despite "dash" bein explicitly denied in the profile), but Apparmor works as expected, e.g. executing:
# touch /boot/testfile

in the container is not possible (permission denied).

So I tried to restrict the profile further. Since I don't want to bind the container to a privileged port (< 1024), I thought I don't need

capability net_bind_service,

in the Apparmor profile.
So I removed the corresponding line in the profile and reloaded the profile. To get sure, that everything goes smooth, I did (after removing the corresponding line):

$ sudo aa-teardown
$ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx

Then I stopped and removed the container:
$ sudo docker stop apparmor-nginx && sudo docker rm apparmor-nginx

and restarted it - but again on port 80 (which I expected not to work, since the capability was removed):
$ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name apparmor-nginx nginx

But it worked. I could access the nginx server on "http://localhost:80" in my host browser.

I tried further to disable net access completely and removed the following lines:

network inet tcp,
network inet udp,
network inet icmp,

and replaced it with:

deny network,

Again I reloaded the profiles:

$ sudo aa-teardown
$ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx

restarted the container:
$ sudo docker stop apparmor-nginx && sudo docker rm apparmor-nginx
$ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name apparmor-nginx nginx

Which works fine - despite the missing capabilities and the "deny network" directive.
Then I started again a session in the container:
$ sudo docker container exec -it apparmor-nginx dash

And e.g. a
# curl www.google.com

is working - I get the expected output, despite "deny network".
So my main concerns are:
1. despite disabling "capability net_bind_service" I can bind to port 80
2. despite "deny network" I can use curl

I'm using Arch Linux on the host, with Apparmor 3.0.4 and docker 1.20.10.16.

Can anybody help me with this problem? From my point of view this should not be possible, or can anybody give me an explanation?

Thanks
Werner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20220521/2055ae09/attachment.html>

More information about the AppArmor mailing list