Skip to content

Commit

Permalink
Merge pull request #14609 from ewindisch/apparmor-policy
Browse files Browse the repository at this point in the history 
Move AppArmor policy to contrib & deb packaging
  • Loading branch information
@LK4D4
LK4D4 committed Jul 21, 2015
2 parents 9818d8f + 80d9923 commit 380959d
Show file tree
Hide file tree
Showing 9 changed files with 63 additions and 128 deletions.
25 changes: 25 additions & 0 deletions contrib/apparmor/docker
View file
@@ -0,0 +1,25 @@
#include <tunables/global>

profile docker-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>

network,
capability,
file,
umount,

deny @{PROC}/sys/fs/** wklx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
deny @{PROC}/sys/kernel/*/** wklx,

deny mount,

deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
}
1 change: 1 addition & 0 deletions contrib/builder/deb/generate.sh
View file
Expand Up @@ -50,6 +50,7 @@ for version in "${versions[@]}"; do
build-essential # "essential for building Debian packages"
curl ca-certificates # for downloading Go
debhelper # for easy ".deb" building
dh-apparmor # for apparmor debhelper
dh-systemd # for systemd debhelper integration
git # for "git commit" info in "docker -v"
libapparmor-dev # for "sys/apparmor.h"
Expand Down
124 changes: 0 additions & 124 deletions daemon/execdriver/native/apparmor.go
View file

This file was deleted.

4 changes: 0 additions & 4 deletions daemon/execdriver/native/driver.go
View file
Expand Up @@ -50,10 +50,6 @@ func NewDriver(root, initPath string, options []string) (*driver, error) {
if err := sysinfo.MkdirAll(root, 0700); err != nil {
return nil, err
}
// native driver root is at docker_root/execdriver/native. Put apparmor at docker_root
if err := installApparmorProfile(); err != nil {
return nil, err
}

// choose cgroup manager
// this makes sure there are no breaking changes to people
Expand Down
1 change: 1 addition & 0 deletions hack/make/.build-deb/docker-engine.install
View file
Expand Up @@ -9,3 +9,4 @@ contrib/init/systemd/docker.socket lib/systemd/system/
contrib/mk* usr/share/docker-engine/contrib/
contrib/nuke-graph-directory.sh usr/share/docker-engine/contrib/
contrib/syntax/nano/Dockerfile.nanorc usr/share/nano/
contrib/apparmor/* etc/apparmor.d/
3 changes: 3 additions & 0 deletions hack/make/.build-deb/rules
View file
Expand Up @@ -32,5 +32,8 @@ override_dh_installudev:
# match our existing priority
dh_installudev --priority=z80

override_dh_install:
dh_apparmor --profile-name=docker -pdocker-engine

%:
dh $@ --with=bash-completion $(shell command -v dh_systemd_enable > /dev/null 2>&1 && echo --with=systemd)
2 changes: 2 additions & 0 deletions hack/make/.integration-daemon-start
View file
Expand Up @@ -35,6 +35,8 @@ if [ -z "$DOCKER_TEST_HOST" ]; then
(
set -x
/etc/init.d/apparmor start

/sbin/apparmor_parser -r -W -T contrib/apparmor/
)
fi

Expand Down
9 changes: 9 additions & 0 deletions hack/make/ubuntu
View file
Expand Up @@ -72,6 +72,10 @@ bundle_ubuntu() {
done
done

# Include contributed apparmor policy
mkdir -p "$DIR/etc/apparmor.d/"
cp contrib/apparmor/docker "$DIR/etc/apparmor.d/"

# Copy the binary
# This will fail if the binary bundle hasn't been built
mkdir -p "$DIR/usr/bin"
Expand All @@ -89,6 +93,10 @@ if [ "$1" = 'configure' ] && [ -z "$2" ]; then
fi
fi
if ( aa-status --enabled ); then
/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker
fi
if ! { [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; }; then
# we only need to do this if upstart isn't in charge
update-rc.d docker defaults > /dev/null || true
Expand Down Expand Up @@ -149,6 +157,7 @@ EOF
--deb-recommends git \
--deb-recommends xz-utils \
--deb-recommends 'cgroupfs-mount | cgroup-lite' \
--deb-suggests apparmor \
--description "$PACKAGE_DESCRIPTION" \
--maintainer "$PACKAGE_MAINTAINER" \
--conflicts docker \
Expand Down
22 changes: 22 additions & 0 deletions integration-cli/docker_cli_run_test.go
View file
Expand Up @@ -2518,3 +2518,25 @@ func (s *DockerSuite) TestVolumeFromMixedRWOptions(c *check.C) {
c.Fatalf("Expected RW volume was RO")
}
}

func (s *DockerSuite) TestRunWriteFilteredProc(c *check.C) {
testRequires(c, Apparmor)

testWritePaths := []string{
/* modprobe and core_pattern should both be denied by generic
* policy of denials for /proc/sys/kernel. These files have been
* picked to be checked as they are particularly sensitive to writes */
"/proc/sys/kernel/modprobe",
"/proc/sys/kernel/core_pattern",
"/proc/sysrq-trigger",
}
for i, filePath := range testWritePaths {
name := fmt.Sprintf("writeprocsieve-%d", i)

shellCmd := fmt.Sprintf("exec 3>%s", filePath)
runCmd := exec.Command(dockerBinary, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
if out, exitCode, err := runCommandWithOutput(runCmd); err == nil || exitCode == 0 {
c.Fatalf("Open FD for write should have failed with permission denied, got: %s, %v", out, err)
}
}
}

0 comments on commit 380959d

Please sign in to comment.