[apparmor] Apparmor and Docker - capabilities and network flags not working
John Johansen
john.johansen at canonical.com
Mon May 23 03:11:43 UTC 2022
On 5/22/22 06:43, werner_kienzler wrote:
> Hallo,
>
>> is docker using user namespaces, or network namespaces?
> Good question - I didn't enable "user namespace isolation" in the docker daemon (so I don't set "userns-remap" in "/etc/docker/daemon.json"), so I assume I'm using network namespaces? But I don't have deeper knowledge in this topic - should I run some test here or configure something?
>
I need to do some digging on the docker side before I can say what configs you need to look at or tests for you to run.
>
>> What is your kernel version? And do you have any none-upstream patches on it.
> I use an up to date kernel of my dirstro, which is 5.17.9. It is 100% vanilla and has no patches applied to it.
>
Can you dump the loaded profile and send it to me? Basically
sudo cat /sys/kernel/security/apparmor/policy/profiles/docker-nginx.*/raw_data > /tmp/raw_profile
where * is going to match some unique number and send me the raw_profile file. This will let me pick out how the parser is compiling the profile which will help with figuring out why network deny is not working.
More information about the AppArmor
mailing list