2015-11-22 20:15:39 -05:00
|
|
|
<!-- [metadata]>
|
|
|
|
|
+++
|
2015-11-14 21:01:24 -05:00
|
|
|
title = "AppArmor security profiles for Docker"
|
|
|
|
|
description = "Enabling AppArmor in Docker"
|
|
|
|
|
keywords = ["AppArmor, security, docker, documentation"]
|
|
|
|
|
[menu.main]
|
|
|
|
|
parent= "smn_secure_docker"
|
2015-11-22 20:15:39 -05:00
|
|
|
+++
|
|
|
|
|
<![end-metadata]-->
|
|
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
# AppArmor security profiles for Docker
|
2015-07-28 14:48:18 -04:00
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
AppArmor (Application Armor) is a Linux security module that protects an
|
|
|
|
|
operating system and its applications from security threats. To use it, a system
|
|
|
|
|
administrator associates an AppArmor security profile with each program. Docker
|
2015-07-28 14:48:18 -04:00
|
|
|
expects to find an AppArmor policy loaded and enforced.
|
|
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
Docker automatically loads container profiles. A profile for the Docker Engine
|
|
|
|
|
itself also exists and is installed with the official *.deb* packages in
|
|
|
|
|
`/etc/apparmor.d/docker` file.
|
|
|
|
|
|
2015-07-28 14:48:18 -04:00
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
## Understand the policies
|
|
|
|
|
|
|
|
|
|
The `docker-default` profile is the default for running containers. It is
|
|
|
|
|
moderately protective while providing wide application compatibility. The
|
|
|
|
|
profile is the following:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
#include <tunables/global>
|
2015-07-28 14:48:18 -04:00
|
|
|
|
|
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
profile docker-default flags=(attach_disconnected,mediate_deleted) {
|
2015-07-28 14:48:18 -04:00
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
#include <abstractions/base>
|
2015-07-28 14:48:18 -04:00
|
|
|
|
|
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
network,
|
|
|
|
|
capability,
|
|
|
|
|
file,
|
|
|
|
|
umount,
|
2015-07-28 14:48:18 -04:00
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
|
|
|
|
|
deny @{PROC}/sysrq-trigger rwklx,
|
|
|
|
|
deny @{PROC}/mem rwklx,
|
|
|
|
|
deny @{PROC}/kmem rwklx,
|
|
|
|
|
deny @{PROC}/kcore rwklx,
|
2015-07-28 14:48:18 -04:00
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
deny mount,
|
2015-07-28 14:48:18 -04:00
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
deny /sys/[^f]*/** wklx,
|
|
|
|
|
deny /sys/f[^s]*/** wklx,
|
|
|
|
|
deny /sys/fs/[^c]*/** wklx,
|
|
|
|
|
deny /sys/fs/c[^g]*/** wklx,
|
|
|
|
|
deny /sys/fs/cg[^r]*/** wklx,
|
|
|
|
|
deny /sys/firmware/efi/efivars/** rwklx,
|
|
|
|
|
deny /sys/kernel/security/** rwklx,
|
|
|
|
|
}
|
2015-07-28 14:48:18 -04:00
|
|
|
```
|
2015-11-14 21:01:24 -05:00
|
|
|
|
|
|
|
|
When you run a container, it uses the `docker-default` policy unless you
|
|
|
|
|
override it with the `security-opt` option. For example, the following
|
|
|
|
|
explicitly specifies the default policy:
|
|
|
|
|
|
|
|
|
|
```bash
|
2015-07-28 14:48:18 -04:00
|
|
|
$ docker run --rm -it --security-opt apparmor:docker-default hello-world
|
|
|
|
|
```
|
|
|
|
|
|
2015-11-14 21:01:24 -05:00
|
|
|
## Contributing to AppArmor code in Docker
|
|
|
|
|
|
|
|
|
|
Advanced users and package managers can find a profile for `/usr/bin/docker`
|
|
|
|
|
underneath
|
|
|
|
|
[contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
|
|
|
|
|
in the Docker Engine source repository.
|
