Pages

Tuesday, March 19, 2019

Container Security - AppArmor

AppArmor is a linux kernel security Module that can be used to restrict the capabilities of processes running on the host operating system.AppArmor is similar to SELinux which is used by default in Redhat linux or centos. AppArmor is being used by Ubuntu by default. Both AppArmor and Selinux provides mandatory access controls ( MAC ) security. In effect, AppArmor allows restrictions on the processes on what actions they can take.

Each process will have its own security profile. The security profile will be defined with capabilities that allow or disallow certain actions that process can perform. These capabilities range from network access to a file read/write/execute permissions

Note - as already said, the AppArmor is the default mandatory access control for Ubuntu so appArmor may not be available on centos or Rhel flavor Operating systems.

On a ubuntu machine , check if apparmor is available by running the command “sudo apparmor_status”. This gives you the status of the apparmor. If it says “apparmor module is loaded” then apparmor profile is available.

Docker automatically generates and loads a default profile for containers names docker-default. The docker binary generates this profile in /etc/apparmor.d/docker location.
Lets run a container which by default uses the default-docker profile
root@spinnaker-machine:/home/vagrant# docker run -it --rm centos bash -i
[root@69fe95789e43 /]# cat /proc/sysrq-trigger
cat: /proc/sysrq-trigger: Permission denied
[root@69fe95789e43 /]# exit
exit


If we see we have started a centos container and tried to access the /proc/sysrq-trigger file. It gives us a permission denied exception. The default profile has this capability disabled.

Custom profile - As we already discussed, custom profiles can also be passed to the docker container. These custom profiles can be loaded during the container start or run by passing the argument apparmor=. While running docker with a custom profile, we first need to override the docker-default policy using the --security-opt argument when running the container. Lets create a custom profile with the below example,

root@spinnaker-machine:/home/vagrant# cat > /etc/apparmor.d/no_raw_net < #include

profile no-ping flags=(attach_disconnected,mediate_deleted) {
#include

network inet tcp,
network inet udp,
network inet icmp,

deny network raw,
deny network packet,

file,
mount,
}
EOF


I'm not going to deep into how to write profiles but the above profile disables creating network packets. I named this as no-ping profile. Once the profile is written i will load the profile into apparmor using the below command,
root@spinnaker-machine:/home/vagrant# /sbin/apparmor_parser --replace --write-cache /etc/apparmor.d/no_raw_net

Once the profile is loaded with no issues, we can then use the profile by starting a container using,root@spinnaker-machine:/home/vagrant# docker run --rm -i --security-opt apparmor=no-ping centos ping -c3 8.8.8.8
ping: socket: Permission denied

Now we can see that we started a container with the profile no-ping profile. We also tried to ping a ip address. The container throws an error “ping: socket: Permission denied” which says that our profile is working fine. If we need to check if the correct profile is loaded, we can run the container first and then check the /proc file system as below,
root@spinnaker-machine:/home/vagrant# docker exec 502bac2749f3 cat /proc/1/attr/current
no-ping (enforce)


We can see that the no-ping profile is loaded inside the container. In order to unload the profile from apparmor we can use the commands, apparmor_parser -R /path/to/profile

No comments :

Post a Comment