New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable ptrace in a container on apparmor below 2.9 #18393
Conversation
ping @ewindisch @jfrazelle ptal thanks @qzio! |
If the ptrace macro exists on 2.8 then we should change the version check, On Thu, Dec 3, 2015 at 6:52 AM, Sebastiaan van Stijn <
|
will do some testing re different versions |
I have not been able to build-and-package locally to actually test this. However this line works for me using the ubuntu/trusty64 vagrant base box, with docker installed from https://experimental.docker.com |
For my use case (using I do not know enough about apparmor to have an opinion on |
I did some more digging and I think this is where that line needs to be. Adding the line to |
@@ -60,12 +60,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { | |||
deny /sys/firmware/efi/efivars/** rwklx, | |||
deny /sys/kernel/security/** rwklx, | |||
|
|||
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container | |||
ptrace (trace,read) peer=docker-default, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so the problem is this will still break distros like wheezy we need to change the version check to 2.8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC, older AppArmor versions can allow ptrace, but not granularly. That
is, you can allow ptrace, but cannot specify a peer or read/write/trace.
On Fri, Dec 4, 2015 at 12:00 PM, Jess Frazelle notifications@github.com
wrote:
In daemon/execdriver/native/apparmor.go
#18393 (comment):@@ -60,12 +60,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/firmware/efi/efivars/* rwklx,
deny /sys/kernel/security/* rwklx,
suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
- ptrace (trace,read) peer=docker-default,
so the problem is this will still break distros like wheezy we need to
change the version check to 2.8—
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/18393/files#r46704053.
Why the tests fails are beyond my knowledge about apparmor, I don't know how the unloading is done and why this doesn't work. For ref: The tests past previous when I accidentally pushed a commit with wrong number of For ref2: The test did not pass when I used one "outer" if that did I've solved my particular problem on my installations by hacking the /etc/init/docker.conf script and adding this line in the Not sure how to fix the tests since even master failed last time I checked. |
Ubuntu 14.04 LTS is on apparmor 2.8.95. This enables `ps` inside a container without causing audit log entries on the host. Signed-off-by: Joel Hansson <joel.hansson@ecraft.com>
An other rebase against master seemed to "fix" the tests. |
ping @ewindisch @jfrazelle can you have another look? |
LGTM now thanks |
Enable ptrace in a container on apparmor below 2.9
Ubuntu 14.04 LTS is on apparmor 2.8.95.
This line enables
ps
inside a container without causingaudit log entries on the host.
My use case: #7276 (comment)