Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppArmor profile is not loaded #46096

Open
erikschul opened this issue Jul 28, 2023 · 1 comment
Open

AppArmor profile is not loaded #46096

erikschul opened this issue Jul 28, 2023 · 1 comment
Labels
area/security/apparmor kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage version/24.0

Comments

@erikschul
Copy link

erikschul commented Jul 28, 2023
edited

Description

When explicitly applying an AppArmor profile, processes run as unconfined.

Reproduce

cat > /etc/apparmor.d/containers/docker-empty <<EOF
#include <tunables/global>

profile docker-empty flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  file,
  deny /etc/** wl,

  capability chown,
  capability dac_override,
  capability setuid,
  capability setgid,
  capability net_bind_service,
}
EOF

apparmor_parser -r -W /etc/apparmor.d/containers/docker-empty

docker run --security-opt "apparmor=docker-empty" --rm -it debian:12 bash -c "sleep infinity"

# returns "unconfined"
cat /proc/$(pgrep sleep)/attr/current

Expected behavior

Processes should run with the AppArmor profile docker-empty.
This works correctly with podman.

docker version

Client: Docker Engine - Community
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.6
 Git commit:        ced0996
 Built:             Fri Jul 21 20:35:41 2023
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.6
  Git commit:       a61e2b4
  Built:            Fri Jul 21 20:35:41 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    24.0.5
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.20.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 6
  Running: 6
  Paused: 0
  Stopped: 0
 Images: 6
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: v1.1.7-0-g860f061
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-10-arm64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 7.567GiB
 Name: w1
 ID: 
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

docker inspect <container id>:

...
"AppArmorProfile": "docker-empty",
...
  "SecurityOpt": [
                "apparmor=docker-empty"
            ],
...
@erikschul erikschul added kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage labels Jul 28, 2023
@erikschul
Copy link
Author

Possibly related: #44984

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security/apparmor kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage version/24.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thaJeztah @erikschul