On 5/22/22 06:43, werner_kienzler wrote: > Hallo, > >> is docker using user namespaces, or network namespaces? > Good question - I didn't enable "user namespace isolation" in the docker > daemon (so I don't set "userns-remap" in "/etc/docker/daemon.json"), so I > assume I'm using network namespaces? But I don't have deeper knowledge in > this topic - should I run some test here or configure something? >
I need to do some digging on the docker side before I can say what configs you need to look at or tests for you to run. > >> What is your kernel version? And do you have any none-upstream patches on it. > I use an up to date kernel of my dirstro, which is 5.17.9. It is 100% vanilla > and has no patches applied to it. > Can you dump the loaded profile and send it to me? Basically sudo cat /sys/kernel/security/apparmor/policy/profiles/docker-nginx.*/raw_data > /tmp/raw_profile where * is going to match some unique number and send me the raw_profile file. This will let me pick out how the parser is compiling the profile which will help with figuring out why network deny is not working.
