README.md

Demonstrate using AppArmor to prevent a ping from inside the container.

TODO:

Give a better example of enforcement.
Policy doesn't seem to do the right thing right now.

Prerequisites

apt-get install apparmor-utils

Build and run

docker build -f Dockerfile -t apparmor .          
docker run -it --rm apparmor

sudo aa-status

# List profiles
ls /etc/apparmor.d

An example policy 25_apparmor.policy

Run unconstrained

Show process is constrained by docker-default

docker run --rm -it --entrypoint=/bin/bash apparmor

# on host
aa-status

Show process is now not protected by a profile.

docker run --rm -it --entrypoint=/bin/bash --security-opt apparmor=unconfined apparmor

# on host
aa-status

Enable a policy (not working yet)

sudo cp 25.apparmor.my_apparmor_policy /etc/apparmor.d              
apparmor_parser -r -W /etc/apparmor.d/25.apparmor.my_apparmor_policy
sudo systemctl restart apparmor
sudo aa-status
docker run --rm -it --entrypoint=/bin/bash --security-opt apparmor=my_apparmor_policy apparmor

# another shell
sudo aa-status
  apparmor module is loaded.
  18 profiles are loaded.
  18 profiles are in enforce mode.
    ...
    my_apparmor_policy
  0 profiles are in complain mode.
  1 processes have profiles defined.
  1 processes are in enforce mode.
     my_apparmor_policy (12787) 
  0 processes are in complain mode. 
  0 processes are unconfined but have a profile defined.

# It doesn't seem to enforce
docker run --rm -it --security-opt apparmor=my_apparmor_policy apparmor

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

README.md

Build and run

Run unconstrained

Files

README.md

Latest commit

History

README.md

File metadata and controls

README.md

Build and run

Run unconstrained