From 4e2241748e8b24dad43dd1c55e01f3b98c3dbd6a Mon Sep 17 00:00:00 2001 From: Christopher Jones Date: Tue, 11 Oct 2016 13:08:37 -0500 Subject: [PATCH] update apparmor documentation to reflect changes in 1.13.0 Updates the apparmor docs to reflect recent changes, specifically that we are no longer saving to /etc/apparmor.d/. Also removes the seccomp profile and instead links to the generating template. Signed-off-by: Christopher Jones --- engine/security/apparmor.md | 53 +++++++++++-------------------------- 1 file changed, 16 insertions(+), 37 deletions(-) diff --git a/engine/security/apparmor.md b/engine/security/apparmor.md index cdeaf1cb38..202a7702ca 100644 --- a/engine/security/apparmor.md +++ b/engine/security/apparmor.md @@ -9,9 +9,13 @@ operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program. Docker expects to find an AppArmor policy loaded and enforced. -Docker automatically loads container profiles. The Docker binary installs -a `docker-default` profile in the `/etc/apparmor.d/docker` file. This profile -is used on containers, _not_ on the Docker Daemon. +Docker automatically generates and loads a default profile for containers named +`docker-default`. On Docker versions `1.13.0` and later, the Docker binary generates +this profile in `tmpfs` and then loads it into the kernel. On Docker versions +earlier than `1.13.0`, this profile is generated in `/etc/apparmor.d/docker` +instead. + +> **Note:** This profile is used on containers, _not_ on the Docker Daemon. A profile for the Docker Engine daemon exists but it is not currently installed with the `deb` packages. If you are interested in the source for the daemon @@ -23,39 +27,8 @@ in the Docker Engine source repository. The `docker-default` profile is the default for running containers. It is moderately protective while providing wide application compatibility. The -profile is the following: - -``` -#include - - -profile docker-default flags=(attach_disconnected,mediate_deleted) { - - #include - - - network, - capability, - file, - umount, - - deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, - deny @{PROC}/kmem rwklx, - deny @{PROC}/kcore rwklx, - - deny mount, - - deny /sys/[^f]*/** wklx, - deny /sys/f[^s]*/** wklx, - deny /sys/fs/[^c]*/** wklx, - deny /sys/fs/c[^g]*/** wklx, - deny /sys/fs/cg[^r]*/** wklx, - deny /sys/firmware/** rwklx, - deny /sys/kernel/security/** rwklx, -} -``` +profile is generated from the following +[template](https://github.com/docker/docker/blob/master/profiles/apparmor/template.go). When you run a container, it uses the `docker-default` policy unless you override it with the `security-opt` option. For example, the following @@ -157,12 +130,18 @@ profile docker-nginx flags=(attach_disconnected,mediate_deleted) { capability setgid, capability net_bind_service, - deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc//** or /proc/sys/** + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/kcore rwklx, + deny mount, + deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx,