tag | 18024a89c8a5657dce459e0f776f077db6cb62a3 | |
---|---|---|
tagger | Jess Frazelle <acidburn@microsoft.com> | Tue Jan 02 05:21:11 2018 -0500 |
object | e54475c5f1a5f7380b5e44d7483358cd62bca553 |
v0.3.0 -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE1MTdYA1m9lqO/FEeGPNoXAAiv/MFAlpLXRcACgkQGPNoXAAi v/MZig//V6/SqLHPKxP5jt+pBgYcDZVOz2HUOkESmSpaYb1LfJfkPrESTMQgnGgm Dclmwq80/zCpClxMIipSE5OOBWdB4+WFmi17Rd0EXTaVHxHFNjVTWiAtOWt59n3t b+h+XLWDCHQkIdXqFsLb9oJlcKl4e2Wfsfv9oZhy8wQ7sWJ+et4HZ+7Mb9XCKObr fsdiCSWte4KZ127ON4TNZL62K64c+N0KmFvmkirf82irqCRJ+RY8I5wqvWfZvJ5O e/elz+0+F37XJqsy+ncFdFe5V1m3IxAfPWrp6got1g2O9LvqeAFdlaMD0m3JIoFz /WDieloXF9zX9ZdTqkf2uyblav5tCg+KVv4BvfXnGXcaB03RLJ4lWxV8UsQFO+qG kqJ3Fzo2ep+prWgHkvpQ54WLTrEceVoqeWviGnFrCzVXbJdRm4XTP687DSE0Zlj/ dSiv4uhZnvHgXiAPxJvS+YzkzU+oEhQNEy7nFdilJxcP9FHxQjUIkKM6s4gt/PEk ITSP/3gbxEn01EdpH5wmudEYrLDZrK8DWNI5YZXXEohIr1m1Bh23dHkQgTOOKIa/ Im6XC7DN9PT3eJ0wHJ9v08qLlY1yo7DiiDgiTw6u3jJmLStQ+BlahUq7UEg4Bnz/ iTNRpa91rjZCxZRL7ZblRh7zd3MY3q0JBPl4qdNU5XmJ/w46CUM= =4mrQ -----END PGP SIGNATURE-----
commit | e54475c5f1a5f7380b5e44d7483358cd62bca553 | [log] [tgz] |
---|---|---|
author | Jess Frazelle <acidburn@microsoft.com> | Tue Jan 02 05:21:09 2018 -0500 |
committer | Jess Frazelle <acidburn@microsoft.com> | Tue Jan 02 05:21:09 2018 -0500 |
tree | b230c6feb027984fcdf2cff36e0b1ba0a517ac07 | |
parent | 588324a083144cbdafffed4dc449f3816094417e [diff] |
Bump version to v0.3.0 Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
AppArmor profile generator for docker containers. Basically a better AppArmor profile, than creating one by hand, because who would ever do that.
"Reviewing AppArmor profile pull requests is the bane of my existence"
- Jess Frazelle
$ go get github.com/jessfraz/bane
$ bane -h _ | |__ __ _ _ __ ___ | '_ \ / _` | '_ \ / _ \ | |_) | (_| | | | | __/ |_.__/ \__,_|_| |_|\___| Custom AppArmor profile generator for docker containers Version: v0.3.0 -d run in debug mode -profile-dir string directory for saving the profiles (default "/etc/apparmor.d/containers") -v print version and exit (shorthand) -version print version and exit
sample.toml is a AppArmor sample config for nginx in a container.
Glob Example | Description |
---|---|
/dir/file | match a specific file |
/dir/* | match any files in a directory (including dot files) |
/dir/a* | match any file in a directory starting with a |
/dir/*.png | match any file in a directory ending with .png |
/dir/[^.]* | match any file in a directory except dot files |
/dir/ | match a directory |
/dir/*/ | match any directory within /dir/ |
/dir/a*/ | match any directory within /dir/ starting with a |
/dir/*a/ | match any directory within /dir/ ending with a |
/dir/** | match any file or directory in or below /dir/ |
/dir/**/ | match any directory in or below /dir/ |
/dir/**[^/] | match any file in or below /dir/ |
/dir{,1,2}/** | match any file or directory in or below /dir/, /dir1/, and /dir2/ |
Now that we have our config file from above let's install it. bane
will automatically install the profile in a directory /etc/apparmor.d/containers/
and run apparmor_parser
.
$ sudo bane sample.toml # Profile installed successfully you can now run the profile with # `docker run --security-opt="apparmor:docker-nginx-sample"` # now let's run nginx $ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx
Using custom AppArmor profiles has never been easier!
Now let's try to do malicious activities with the sample profile:
$ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bash root@6da5a2a930b9:~# ping 8.8.8.8 ping: Lacking privilege for raw socket. root@6da5a2a930b9:/# top bash: /usr/bin/top: Permission denied root@6da5a2a930b9:~# touch ~/thing touch: cannot touch 'thing': Permission denied root@6da5a2a930b9:/# sh bash: /bin/sh: Permission denied root@6da5a2a930b9:/# dash bash: /bin/dash: Permission denied
Sample dmesg
output when using LogOnWritePaths
:
[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser" [ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0 [ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0 [ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0 [ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
For the above sample.toml
the generated profile is available as docker-nginx-sample.
This was originally a proof of concept for what will hopefully become a native security profile in the Docker engine. For more information on this, see docker/docker#17142.