Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppArmor policy to deny network packets is not working #43556

Open
rayandasoriya opened this issue May 3, 2022 · 5 comments
Open

AppArmor policy to deny network packets is not working #43556

rayandasoriya opened this issue May 3, 2022 · 5 comments
Labels
area/networking area/security/apparmor kind/question version/20.10

Comments

@rayandasoriya
Copy link

rayandasoriya commented May 3, 2022
edited

Description

The AppArmor policy to deny network packets is not working in v20.10.13 and v20.10.14 for Ubuntu docker image. It was working in v20.10.12.

Steps to reproduce the issue:

  1. Use docker version v20.10.14
  2. Create an AppArmor policy:
cat > /tmp/no_ping <<EOF
#include <tunables/global>

profile no-ping flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

  network inet tcp,
  network inet udp,
  network inet icmp,

  deny network raw,
  deny network packet,
  file,
  mount,
}
EOF
  1. Load the profile in AppArmor /sbin/apparmor_parser --replace --write-cache /tmp/no_ping
  2. Create a Dockerfile with Ubuntu 22.04 and ping capabilities:
cat > Dockerfile <<EOF
FROM ubuntu:22.04
RUN apt-get update && apt install -y iputils-ping
EOF
  1. Create a docker image using docker build -t ubuntu-test .
  2. Run a container with the policy docker run --rm -i --security-opt apparmor=no-ping ubuntu-test:latest ping -c3 8.8.8.8

Describe the results you received:

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=1.54 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=1.44 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=114 time=1.34 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.346/1.444/1.541/0.079 ms

Describe the results you expected:

ping: icmp open socket: Permission denied

Additional information you deem important (e.g. issue happens only occasionally):

This was a working solution till Docker v20.10.12. Also, the above workflow is not working for an Ubuntu image but is working for debian(debian:jessie).

Output of docker version:

$ sudo docker version
Client: Docker Engine - Community
 Version:           20.10.14
 API version:       1.41
 Go version:        go1.16.15
 Git commit:        a224086
 Built:             Thu Mar 24 01:47:47 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.14
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.15
  Git commit:       87a90dc
  Built:            Thu Mar 24 01:45:38 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.5.11
  GitCommit:        3df54a852345ae127d1fa3092b95168e4a88e2f8
 runc:
  Version:          1.0.3
  GitCommit:        v1.0.3-0-gf46b6ba
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

$ sudo docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.1-docker)
  compose: Docker Compose (Docker Inc., v2.3.3)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 20.10.14
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3df54a852345ae127d1fa3092b95168e4a88e2f8
 runc version: v1.0.3-0-gf46b6ba
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.15.0-1003-gcp
 Operating System: Ubuntu 22.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.831GiB
 Name: ubuntu-test-1
 ID: JBHY:6IDZ:ZKK5:WHT6:YHK3:WKF7:UVXL:SZT2:3BZD:IMKG:ZLGB:CGAG
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

Running Ubuntu 22.04 LTS on GCP.
@thaJeztah
Copy link
Member

Looks related to

@rayandasoriya
Copy link
Author

Thanks @thaJeztah. Updating the policy to deny icmp packages fixed the issue.

@thaJeztah
Copy link
Member

Good to hear that helped!

@vteratipally
Copy link

/reopen

@vteratipally
Copy link

This issue is happening in docker 23.0.0-rc.3

@rayandasoriya rayandasoriya reopened this Jan 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking area/security/apparmor kind/question version/20.10
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thaJeztah @rayandasoriya @vteratipally