You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Load the profile in AppArmor /sbin/apparmor_parser --replace --write-cache /tmp/no_ping
Create a Dockerfile with Ubuntu 22.04 and ping capabilities:
cat > Dockerfile <<EOF
FROM ubuntu:22.04
RUN apt-get update && apt install -y iputils-ping
EOF
Create a docker image using docker build -t ubuntu-test .
Run a container with the policy docker run --rm -i --security-opt apparmor=no-ping ubuntu-test:latest ping -c3 8.8.8.8
Describe the results you received:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=1.54 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=1.44 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=114 time=1.34 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.346/1.444/1.541/0.079 ms
Describe the results you expected:
ping: icmp open socket: Permission denied
Additional information you deem important (e.g. issue happens only occasionally):
This was a working solution till Docker v20.10.12. Also, the above workflow is not working for an Ubuntu image but is working for debian(debian:jessie).
Output of docker version:
$ sudo docker version
Client: Docker Engine - Community
Version: 20.10.14
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 24 01:47:47 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.14
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 87a90dc
Built: Thu Mar 24 01:45:38 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Description
The AppArmor policy to deny network packets is not working in v20.10.13 and v20.10.14 for Ubuntu docker image. It was working in v20.10.12.
Steps to reproduce the issue:
/sbin/apparmor_parser --replace --write-cache /tmp/no_ping
docker build -t ubuntu-test .
docker run --rm -i --security-opt apparmor=no-ping ubuntu-test:latest ping -c3 8.8.8.8
Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
This was a working solution till Docker v20.10.12. Also, the above workflow is not working for an Ubuntu image but is working for debian(debian:jessie).
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Running Ubuntu 22.04 LTS on GCP.
The text was updated successfully, but these errors were encountered: