-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apparmor denies ptrace to docker-default profile #7276
Comments
there's a docker-default profile in place (/etc/apparmor.d/docker) that denies ptrace. That file is recreated when docker starts and doesn't seem to be configurable(?). You can get rid of the problem by placing this profile in complain mode using aa-complain from the apparmor-utils package in Ubuntu:
To "fix" this more permanently, it would be great if you could get rid of apparmor alltogether:
But this only works for running containers. For new containers, docker will notice there is no docker-default profile and refuse to start:
So instead, I've now placed a line in /etc/rc.local:
this survives reboots. It would be great if docker would not recreate the apparmor profile all the time, or if the profile was somehow configurable |
I think the best way to solve issues like this is to introduce a flag so that a user can set the apparmor profile that they want for a container. maybe something like:
|
Due to that issue, I can't list files owned by a process inside a container : I have " This question in "Unix & Linux" also talks about that. I think issue #5936, #6800, #6607, #7330, #7147 and bug 1320869 in launchpad are more or less linked to that isn't it? I think docker security is compromised if one puts docker AppArmor profile in complain only mode... My question is: can we just tell AppArmor to allow ptrace for docker and is this OK to keep docker secured or is ptrace was blocked on purpose? |
@anthony-o we just introduced a |
@crosbymichael Hey. Thanks for adding Thanks. |
have you tried adding On Thu, Oct 23, 2014 at 5:51 PM, Fernando Jorge Mota <
|
Yep. Yet with this my /var/log/kern.log shows the following message:
Any other suggestion? (I need ptrace just for run gdb inside docker) |
@fjorgemota did you fix that ? I'm having issues with gdb inside Docker too. I got AppArmor to crash on me after an "aa-complain" See the bug report over there: https://bugs.launchpad.net/apparmor/+bug/1390546 |
For the moment I just ran aa-complain, as described in this comment Anyway, this seems too much bad from the perspective of security, and, as is, i'm just awaiting any new suggestion about an alternative to allow gdb use from docker. Thanks. |
it seems |
Another trick is to put You can add them to the abstraction/base profile, so it'll be used no matter how you rewrite your docker profile. This would add a cross-container security risk though, as a container could ptrace another container's processes. |
On Ubuntu 14.04, I only managed to get
|
I was helping abourget in #apparmor on OFTC. Here are my thoughts:
|
https://issues.asterisk.org/jira/browse/ASTERISK-24498 To enable GDB debugging, write "ptrace," in /etc/apparmor.d/abstractions/base and restart the docker daemon, until: moby/moby#7276 is fixed.
abourget's issue with needing to use a bare ptrace rule (ie, 'ptrace,') on the Ubuntu 14.04 kernel is https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1390592. |
FYI, I haven't done the PR yet, but I have a branch for these updated rules and to add these rules based on the capabilities of the parser: https://github.com/jdstrand/libcontainer/tree/8454-sync-apparmor-with-lxc |
Any news on this? I would rather avoid going through AppArmor modifications (portability and all), but in some cases, like with Collectd, for example, syslog fills up so quickly, that it can really take a toll on the performance of an instance. |
So, this is important (vital, really) and there is still no solution... It's really clear that docker should not be wired into requiring apparmor. What if you want to use something like SELinux? As I read this, docker re-installs broken and untunable apparmor rules, and requires apparmor to be installed and running. If apparmor has been uninstalled, you really shouldn't try and use it. If you want to moan and complain when you start, then so be it. But you should start even if someone has opted out of apparmor. |
And even when I turn the docker profile to complain, it still enforces it... $ sudo apparmor_status Process 3273 child processes (ls, readlink) are still getting permission denied when trying to look at /proc/1/exe and similar things... |
Using security-opt=apparmor:unconfined makes no difference... But adding the --privileged flag to the container when I start it seems to do the trick... Sigh... |
I ended up going with |
This is a combination of multiple things and it depends on what you are trying to do. It sounds like for the problems that @Alan-R and @gerhard are having you need to run with both As a few examples how you could get different output: This fails because cat is a child of sh and cannot inspect it's parents process info. michael|~ > docker run --rm ubuntu:14.04 sh -c "cat /proc/1/environ"
cat: /proc/1/environ: Permission denied but this works because if you are running cat as PID 1 it is allowed to inspect itself. michael|~ > docker run --rm ubuntu:14.04 cat /proc/1/environ
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=103ad4fca658HOME=/root With the michael|~ > docker run --rm ubuntu:14.04 sh -c "cat /proc/1/environ"
cat: /proc/1/environ: Permission denied
michael|~ > docker run --rm --cap-add SYS_PTRACE --security-opt apparmor:unconfined ubuntu:14.04 sh -c "cat /proc/1/environ"
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=866b24a9dd35HOME=/root Just add the cap as well as the unconfined profile on your systems and this will work as expected. |
@crosbymichael mmm, that sounds like some useful doc eamples for caps |
Pretty clearly --privileged does the same thing -- but it's not Both would be great documentation examples... On 01/05/2015 10:17 PM, Sven Dowideit wrote:
|
Is it possible to make this the default? Either shipped as such or via a daemon command line option? I can't possibly instruct every user of our Docker servers to add in apparmor security options with any degree of reliability, and even bare-bones basic tools like |
I'm not sure about the default. There could be security issues with other processes finding out information about a parent process. I'll have to restart some of the security issues for allowing |
On 01/06/2015 03:04 PM, Steven Schlansker wrote:
Jamie Strandboge http://www.ubuntu.com/ |
I believe this is fixed in experimental. See #18393 |
this is blocked by apparmor seccomp and dropping CAP_PTRACE which we do by default On Jan 7, 2016, 05:51 -0800, joel hanssonnotifications@github.com, wrote:
|
Adding both "--cap-add=SYS_PTRACE" and "--security-opt=apparmor:unconfined" does not allow container to run programs like strace/ltrace using the ptrace (PTRACE_TRACEME).
Only "--privileded" option allow the container to use ptrace. Is there any way to allow ptrace without using "privileged" flag ? |
--security-opt seccomp:unconfined On Tuesday, March 8, 2016, Tsuneo Yoshioka notifications@github.com wrote:
Jessie Frazelle |
@jfrazelle Ah, it worked ! Thanks ! And, if possible, can you explain the difference between sec comp:unconfined and apparmor:unconfined ? |
I would checkout the security docs for a detailed description apparmor is a On Tuesday, March 8, 2016, Tsuneo Yoshioka notifications@github.com wrote:
Jessie Frazelle |
@jfrazelle Ah, so, in my understanding, "--security-opt seccomp:XXX" and "--security-opt apparmor:XXX" is independent option. To disable both, both "--security-opt apparmor:unconfined" and "--security-opt seccomp:unconfined" need to specified. |
--security-opt seccomp:unconfined doesn't work for me. I'm Ubuntu 14.04. I just used apparmor:unconfined, and I'm not getting errors in dmesg. Is this a "newer" docker thing, or a "newer" ubuntu thing? |
@gswallow
|
It's a docker 1.10 thing. --security-opt=seccomp:unconfined is covered in the changelog. We're using Amazon ECS, which says to use Docker 1.9.1. From what I understand, unless docker calls PR_SET_SECCOMP, then it doesn't matter. |
Docker is a miserable environment for generating core files (e.g. with `gcore`), for accessing the memory of another process (`/proc/$pid/mem`) or for other stuff involving ptrace. Thus, the pargs cases that depend on these features are skipped, when running inside docker Some Docker versions might work when some docker privileges are elevated, but Travis' Docker doesn't seem to offer much in that regard. See also: - moby/moby#11740 - moby/moby#7276 - travis-ci/travis-ci#5558
My kernel log is filling up with messages like:
docker version
reports:Ubuntu 14.04.1
3.13.0-32-generic #57-Ubuntu
The text was updated successfully, but these errors were encountered: