mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
way better apparmor docs
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
This commit is contained in:
parent
b5420be597
commit
a6701790ee
1 changed files with 112 additions and 4 deletions
|
@ -16,10 +16,15 @@ operating system and its applications from security threats. To use it, a system
|
||||||
administrator associates an AppArmor security profile with each program. Docker
|
administrator associates an AppArmor security profile with each program. Docker
|
||||||
expects to find an AppArmor policy loaded and enforced.
|
expects to find an AppArmor policy loaded and enforced.
|
||||||
|
|
||||||
Docker automatically loads container profiles. A profile for the Docker Engine
|
Docker automatically loads container profiles. The Docker binary installs
|
||||||
itself also exists and is installed with the official *.deb* packages in
|
a `docker-default` profile in the `/etc/apparmor.d/docker` file. This profile
|
||||||
`/etc/apparmor.d/docker` file.
|
is used on containers, _not_ on the Docker Daemon.
|
||||||
|
|
||||||
|
A profile for the Docker Engine Daemon exists but it is not currently installed
|
||||||
|
with the deb packages. If you are interested in the source for the Daemon
|
||||||
|
profile, it is located in
|
||||||
|
[contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
|
||||||
|
in the Docker Engine source repository.
|
||||||
|
|
||||||
## Understand the policies
|
## Understand the policies
|
||||||
|
|
||||||
|
@ -67,9 +72,112 @@ explicitly specifies the default policy:
|
||||||
$ docker run --rm -it --security-opt apparmor:docker-default hello-world
|
$ docker run --rm -it --security-opt apparmor:docker-default hello-world
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Loading and Unloading Profiles
|
||||||
|
|
||||||
|
To load a new profile into AppArmor, for use with containers:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ apparmor_parser -r -W /path/to/your_profile
|
||||||
|
```
|
||||||
|
|
||||||
|
Then you can run the custom profile with `--security-opt` like so:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ docker run --rm -it --security-opt apparmor:your_profile hello-world
|
||||||
|
```
|
||||||
|
|
||||||
|
To unload a profile from AppArmor:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# stop apparmor
|
||||||
|
$ /etc/init.d/apparmor stop
|
||||||
|
# unload the profile
|
||||||
|
$ apparmor_parser -R /path/to/profile
|
||||||
|
# start apparmor
|
||||||
|
$ /etc/init.d/apparmor start
|
||||||
|
```
|
||||||
|
|
||||||
|
## Debugging AppArmor
|
||||||
|
|
||||||
|
### Using `dmesg`
|
||||||
|
|
||||||
|
Here are some helpful tips for debugging any problems you might be facing with
|
||||||
|
regard to AppArmor.
|
||||||
|
|
||||||
|
AppArmor sends quite verbose messaging to `dmesg`. Usually an AppArmor line
|
||||||
|
will look like the following:
|
||||||
|
|
||||||
|
```
|
||||||
|
[ 5442.864673] audit: type=1400 audit(1453830992.845:37): apparmor="ALLOWED" operation="open" profile="/usr/bin/docker" name="/home/jessie/docker/man/man1/docker-attach.1" pid=10923 comm="docker" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
|
||||||
|
```
|
||||||
|
|
||||||
|
In the above example, the you can see `profile=/usr/bin/docker`. This means the
|
||||||
|
user has the `docker-engine` (Docker Engine Daemon) profile loaded.
|
||||||
|
|
||||||
|
> **Note:** On version of Ubuntu > 14.04 this is all fine and well, but Trusty
|
||||||
|
> users might run into some issues when trying to `docker exec`.
|
||||||
|
|
||||||
|
Let's look at another log line:
|
||||||
|
|
||||||
|
```
|
||||||
|
[ 3256.689120] type=1400 audit(1405454041.341:73): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=17651 comm="docker" requested_mask="receive" denied_mask="receive"
|
||||||
|
```
|
||||||
|
|
||||||
|
This time the profile is `docker-default`, which is run on containers by
|
||||||
|
default unless in `privileged` mode. It is telling us, that apparmor has denied
|
||||||
|
`ptrace` in the container. This is great.
|
||||||
|
|
||||||
|
### Using `aa-status`
|
||||||
|
|
||||||
|
If you need to check which profiles are loaded you can use `aa-status`. The
|
||||||
|
output looks like:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ sudo aa-status
|
||||||
|
apparmor module is loaded.
|
||||||
|
14 profiles are loaded.
|
||||||
|
1 profiles are in enforce mode.
|
||||||
|
docker-default
|
||||||
|
13 profiles are in complain mode.
|
||||||
|
/usr/bin/docker
|
||||||
|
/usr/bin/docker///bin/cat
|
||||||
|
/usr/bin/docker///bin/ps
|
||||||
|
/usr/bin/docker///sbin/apparmor_parser
|
||||||
|
/usr/bin/docker///sbin/auplink
|
||||||
|
/usr/bin/docker///sbin/blkid
|
||||||
|
/usr/bin/docker///sbin/iptables
|
||||||
|
/usr/bin/docker///sbin/mke2fs
|
||||||
|
/usr/bin/docker///sbin/modprobe
|
||||||
|
/usr/bin/docker///sbin/tune2fs
|
||||||
|
/usr/bin/docker///sbin/xtables-multi
|
||||||
|
/usr/bin/docker///sbin/zfs
|
||||||
|
/usr/bin/docker///usr/bin/xz
|
||||||
|
38 processes have profiles defined.
|
||||||
|
37 processes are in enforce mode.
|
||||||
|
docker-default (6044)
|
||||||
|
...
|
||||||
|
docker-default (31899)
|
||||||
|
1 processes are in complain mode.
|
||||||
|
/usr/bin/docker (29756)
|
||||||
|
0 processes are unconfined but have a profile defined.
|
||||||
|
```
|
||||||
|
|
||||||
|
In the above output you can tell that the `docker-default` profile running on
|
||||||
|
various container PIDs is in `enforce` mode. This means AppArmor will actively
|
||||||
|
block and audit in `dmesg` anything outside the bounds of the `docker-default`
|
||||||
|
profile.
|
||||||
|
|
||||||
|
The output above also shows the `/usr/bin/docker` (Docker Engine Daemon)
|
||||||
|
profile is running in `complain` mode. This means AppArmor will _only_ log to
|
||||||
|
`dmesg` activity outside the bounds of the profile. (Except in the case of
|
||||||
|
Ubuntu Trusty, where we have seen some interesting behaviors being enforced.)
|
||||||
|
|
||||||
## Contributing to AppArmor code in Docker
|
## Contributing to AppArmor code in Docker
|
||||||
|
|
||||||
Advanced users and package managers can find a profile for `/usr/bin/docker`
|
Advanced users and package managers can find a profile for `/usr/bin/docker`
|
||||||
underneath
|
(Docker Engine Daemon) underneath
|
||||||
[contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
|
[contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
|
||||||
in the Docker Engine source repository.
|
in the Docker Engine source repository.
|
||||||
|
|
||||||
|
The `docker-default` profile for containers lives in
|
||||||
|
[profiles/apparmor](https://github.com/docker/docker/tree/master/profiles/apparmor).
|
||||||
|
|
Loading…
Reference in a new issue