[apparmor] Apparmor and Docker - capabilities and network flags not working
John Johansen
john.johansen at canonical.com
Sun May 22 11:09:27 UTC 2022
On 5/21/22 14:55, werner_kienzler wrote:
> Hello,
>
> I try to use AppArmor in conjunction with docker, as in the example explained in the docker docs:
> https://docs.docker.com/engine/security/apparmor/ <https://docs.docker.com/engine/security/apparmor/>
>
> I want to describe my problems with this example. I copied over the example policy from this website to
>
> /etc/apparmor.d/docker-nginx
>
> Then I parsed the profile:
> $ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx
>
> and "aa-status" shows, that the profile is loaded.
> Starting docker like:
>
> $ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name apparmor-nginx nginx
>
> Works like expected - "aa-status" shows, that the resulting docker processes are confined and if I do e.g.
> $ sudo docker container exec -it apparmor-nginx dash
>
> I'm ending in a shell (despite "dash" bein explicitly denied in the profile), but Apparmor works as expected, e.g. executing:
> # touch /boot/testfile
>
> in the container is not possible (permission denied).
>
> So I tried to restrict the profile further. Since I don't want to bind the container to a privileged port (< 1024), I thought I don't need
>
> capability net_bind_service,
>
> in the Apparmor profile.
> So I removed the corresponding line in the profile and reloaded the profile. To get sure, that everything goes smooth, I did (after removing the corresponding line):
>
> $ sudo aa-teardown
> $ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx
>
> Then I stopped and removed the container:
> $ sudo docker stop apparmor-nginx && sudo docker rm apparmor-nginx
>
> and restarted it - but again on port 80 (which I expected not to work, since the capability was removed):
> $ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name apparmor-nginx nginx
>
> But it worked. I could access the nginx server on "http://localhost:80 <http://localhost:80>" in my host browser.
>
> I tried further to disable net access completely and removed the following lines:
>
> network inet tcp,
> network inet udp,
> network inet icmp,
>
> and replaced it with:
>
> deny network,
>
> Again I reloaded the profiles:
>
> $ sudo aa-teardown
> $ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx
>
> restarted the container:
> $ sudo docker stop apparmor-nginx && sudo docker rm apparmor-nginx
> $ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name apparmor-nginx nginx
>
> Which works fine - despite the missing capabilities and the "deny network" directive.
> Then I started again a session in the container:
> $ sudo docker container exec -it apparmor-nginx dash
>
is docker using user namespaces, or network namespaces?
> And e.g. a
> # curl www.google.com <http://www.google.com>
>
> is working - I get the expected output, despite "deny network".
> So my main concerns are:
> 1. despite disabling "capability net_bind_service" I can bind to port 80
> 2. despite "deny network" I can use curl
>
> I'm using Arch Linux on the host, with Apparmor 3.0.4 and docker 1.20.10.16.
>
What is your kernel version? And do you have any none-upstream patches on it.
> Can anybody help me with this problem? From my point of view this should not be possible, or can anybody give me an explanation?
>
> Thanks
>
> Werner
More information about the AppArmor
mailing list