v0.3.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE1MTdYA1m9lqO/FEeGPNoXAAiv/MFAlpLXRcACgkQGPNoXAAi
v/MZig//V6/SqLHPKxP5jt+pBgYcDZVOz2HUOkESmSpaYb1LfJfkPrESTMQgnGgm
Dclmwq80/zCpClxMIipSE5OOBWdB4+WFmi17Rd0EXTaVHxHFNjVTWiAtOWt59n3t
b+h+XLWDCHQkIdXqFsLb9oJlcKl4e2Wfsfv9oZhy8wQ7sWJ+et4HZ+7Mb9XCKObr
fsdiCSWte4KZ127ON4TNZL62K64c+N0KmFvmkirf82irqCRJ+RY8I5wqvWfZvJ5O
e/elz+0+F37XJqsy+ncFdFe5V1m3IxAfPWrp6got1g2O9LvqeAFdlaMD0m3JIoFz
/WDieloXF9zX9ZdTqkf2uyblav5tCg+KVv4BvfXnGXcaB03RLJ4lWxV8UsQFO+qG
kqJ3Fzo2ep+prWgHkvpQ54WLTrEceVoqeWviGnFrCzVXbJdRm4XTP687DSE0Zlj/
dSiv4uhZnvHgXiAPxJvS+YzkzU+oEhQNEy7nFdilJxcP9FHxQjUIkKM6s4gt/PEk
ITSP/3gbxEn01EdpH5wmudEYrLDZrK8DWNI5YZXXEohIr1m1Bh23dHkQgTOOKIa/
Im6XC7DN9PT3eJ0wHJ9v08qLlY1yo7DiiDgiTw6u3jJmLStQ+BlahUq7UEg4Bnz/
iTNRpa91rjZCxZRL7ZblRh7zd3MY3q0JBPl4qdNU5XmJ/w46CUM=
=4mrQ
-----END PGP SIGNATURE-----
Bump version to v0.3.0

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
2 files changed
tree: b230c6feb027984fcdf2cff36e0b1ba0a517ac07
  1. .gitignore
  2. .travis.yml
  3. Dockerfile
  4. Gopkg.lock
  5. Gopkg.toml
  6. LICENSE
  7. Makefile
  8. README.md
  9. VERSION
  10. apparmor/
  11. bane.jpg
  12. docker-nginx-sample
  13. main.go
  14. sample.toml
  15. vendor/
  16. version/
README.md

bane

Travis CI

AppArmor profile generator for docker containers. Basically a better AppArmor profile, than creating one by hand, because who would ever do that.

"Reviewing AppArmor profile pull requests is the bane of my existence"

  • Jess Frazelle

bane

Installation

Binaries

Via Go

$ go get github.com/jessfraz/bane

Usage

$ bane -h
 _
| |__   __ _ _ __   ___
| '_ \ / _` | '_ \ / _ \
| |_) | (_| | | | |  __/
|_.__/ \__,_|_| |_|\___|
 Custom AppArmor profile generator for docker containers
 Version: v0.3.0

  -d    run in debug mode
  -profile-dir string
        directory for saving the profiles (default "/etc/apparmor.d/containers")
  -v    print version and exit (shorthand)
  -version
        print version and exit

Config File

sample.toml is a AppArmor sample config for nginx in a container.

File Globbing

Glob ExampleDescription
/dir/filematch a specific file
/dir/*match any files in a directory (including dot files)
/dir/a*match any file in a directory starting with a
/dir/*.pngmatch any file in a directory ending with .png
/dir/[^.]*match any file in a directory except dot files
/dir/match a directory
/dir/*/match any directory within /dir/
/dir/a*/match any directory within /dir/ starting with a
/dir/*a/match any directory within /dir/ ending with a
/dir/**match any file or directory in or below /dir/
/dir/**/match any directory in or below /dir/
/dir/**[^/]match any file in or below /dir/
/dir{,1,2}/**match any file or directory in or below /dir/, /dir1/, and /dir2/

Installing a Profile

Now that we have our config file from above let's install it. bane will automatically install the profile in a directory /etc/apparmor.d/containers/ and run apparmor_parser.

$ sudo bane sample.toml
# Profile installed successfully you can now run the profile with
# `docker run --security-opt="apparmor:docker-nginx-sample"`

# now let's run nginx
$ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx

Using custom AppArmor profiles has never been easier!

Now let's try to do malicious activities with the sample profile:

$ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bash
root@6da5a2a930b9:~# ping 8.8.8.8
ping: Lacking privilege for raw socket.

root@6da5a2a930b9:/# top
bash: /usr/bin/top: Permission denied

root@6da5a2a930b9:~# touch ~/thing
touch: cannot touch 'thing': Permission denied

root@6da5a2a930b9:/# sh
bash: /bin/sh: Permission denied

root@6da5a2a930b9:/# dash
bash: /bin/dash: Permission denied

Sample dmesg output when using LogOnWritePaths:

[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser"
[ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

What does the generated profile look like?

For the above sample.toml the generated profile is available as docker-nginx-sample.

Integration with Docker

This was originally a proof of concept for what will hopefully become a native security profile in the Docker engine. For more information on this, see docker/docker#17142.