AppArmor security profiles for Docker (original) (raw)

AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program. Docker expects to find an AppArmor policy loaded and enforced.

Docker automatically generates and loads a default profile for containers nameddocker-default. The Docker binary generates this profile in tmpfs and then loads it into the kernel.

Note

This profile is used on containers, not on the Docker daemon.

A profile for the Docker Engine daemon exists but it is not currently installed with the deb packages. If you are interested in the source for the daemon profile, it is located incontrib/apparmorin the Docker Engine source repository.

The docker-default profile is the default for running containers. It is moderately protective while providing wide application compatibility. The profile is generated from the followingtemplate.

When you run a container, it uses the docker-default policy unless you override it with the security-opt option. For example, the following explicitly specifies the default policy:

To load a new profile into AppArmor for use with containers:

Then, run the custom profile with --security-opt:

To unload a profile from AppArmor:

Resources for writing profiles

The syntax for file globbing in AppArmor is a bit different than some other globbing implementations. It is highly suggested you take a look at some of the below resources with regard to AppArmor profile syntax.

• Quick Profile Language
• Globbing Syntax

In this example, you create a custom AppArmor profile for Nginx. Below is the custom profile.

1. Save the custom profile to disk in the/etc/apparmor.d/containers/docker-nginx file.
   The file path in this example is not a requirement. In production, you could use another.
2. Load the profile.
3. Run a container with the profile.
   To run nginx in detached mode:
4. Exec into the running container.
5. Try some operations to test the profile.

You just deployed a container secured with a custom apparmor profile.

You can use dmesg to debug problems and aa-status check the loaded profiles.

Use dmesg

Here are some helpful tips for debugging any problems you might be facing with regard to AppArmor.

AppArmor sends quite verbose messaging to dmesg. Usually an AppArmor line looks like the following:

In the above example, you can see profile=/usr/bin/docker. This means the user has the docker-engine (Docker Engine daemon) profile loaded.

Look at another log line:

This time the profile is docker-default, which is run on containers by default unless in privileged mode. This line shows that apparmor has deniedptrace in the container. This is exactly as expected.

Use aa-status

If you need to check which profiles are loaded, you can use aa-status. The output looks like:

The above output shows that the docker-default profile running on various container PIDs is in enforce mode. This means AppArmor is actively blocking and auditing in dmesg anything outside the bounds of the docker-defaultprofile.

The output above also shows the /usr/bin/docker (Docker Engine daemon) profile is running in complain mode. This means AppArmor only logs to dmesgactivity outside the bounds of the profile. (Except in the case of Ubuntu Trusty, where some interesting behaviors are enforced.)

Advanced users and package managers can find a profile for /usr/bin/docker(Docker Engine daemon) underneathcontrib/apparmorin the Docker Engine source repository.

The docker-default profile for containers lives inprofiles/apparmor.