On 5/21/22 14:55, werner_kienzler wrote: > Hello, > > I try to use AppArmor in conjunction with docker, as in the example explained > in the docker docs: > https://docs.docker.com/engine/security/apparmor/ > <https://docs.docker.com/engine/security/apparmor/> > > I want to describe my problems with this example. I copied over the example > policy from this website to > > /etc/apparmor.d/docker-nginx > > Then I parsed the profile: > $ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx > > and "aa-status" shows, that the profile is loaded. > Starting docker like: > > $ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name > apparmor-nginx nginx > > Works like expected - "aa-status" shows, that the resulting docker processes > are confined and if I do e.g. > $ sudo docker container exec -it apparmor-nginx dash > > I'm ending in a shell (despite "dash" bein explicitly denied in the profile), > but Apparmor works as expected, e.g. executing: > # touch /boot/testfile > > in the container is not possible (permission denied). > > So I tried to restrict the profile further. Since I don't want to bind the > container to a privileged port (< 1024), I thought I don't need > > capability net_bind_service, > > in the Apparmor profile. > So I removed the corresponding line in the profile and reloaded the profile. > To get sure, that everything goes smooth, I did (after removing the > corresponding line): > > $ sudo aa-teardown > $ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx > > Then I stopped and removed the container: > $ sudo docker stop apparmor-nginx && sudo docker rm apparmor-nginx > > and restarted it - but again on port 80 (which I expected not to work, since > the capability was removed): > $ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name > apparmor-nginx nginx > > But it worked. I could access the nginx server on "http://localhost:80 > <http://localhost:80>" in my host browser. > > I tried further to disable net access completely and removed the following > lines: > > network inet tcp, > network inet udp, > network inet icmp, > > and replaced it with: > > deny network, > > Again I reloaded the profiles: > > $ sudo aa-teardown > $ sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx > > restarted the container: > $ sudo docker stop apparmor-nginx && sudo docker rm apparmor-nginx > $ sudo docker run --security-opt "apparmor=docker-nginx" -p 80:80 -d --name > apparmor-nginx nginx > > Which works fine - despite the missing capabilities and the "deny network" > directive. > Then I started again a session in the container: > $ sudo docker container exec -it apparmor-nginx dash >
is docker using user namespaces, or network namespaces? > And e.g. a > # curl www.google.com <http://www.google.com> > > is working - I get the expected output, despite "deny network". > So my main concerns are: > 1. despite disabling "capability net_bind_service" I can bind to port 80 > 2. despite "deny network" I can use curl > > I'm using Arch Linux on the host, with Apparmor 3.0.4 and docker 1.20.10.16. > What is your kernel version? And do you have any none-upstream patches on it. > Can anybody help me with this problem? From my point of view this should not > be possible, or can anybody give me an explanation? > > Thanks > > Werner
