bane
v0.4.4
AppArmor profile generator for docker containers. Basically a better AppArmor profile, than creating one by hand, because who would ever do that.
"Reviewing AppArmor profile pull requests is the bane of my existence"
Jess Frazelle
Table of Contents
Installation
Binaries
Via Go
Usage
File Globbing
Config File
Installing a Profile
What does the generated profile look like?
Integration with Docker
For installation instructions from binaries please visit the Releases Page.
$ go get github.com/genuinetools/bane
$ bane -hbane - Custom AppArmor profile generator for docker containersUsage: bane <command>Flags: -d enable debug logging (default: false) -profile-dir directory for saving the profiles (default: /etc/apparmor.d/containers)Commands: version Show the version information.
sample.toml is a AppArmor sample config for nginx in a container.
| Glob Example | Description |
|---|---|
/dir/file | match a specific file |
/dir/* | match any files in a directory (including dot files) |
/dir/a* | match any file in a directory starting with a |
/dir/*.png | match any file in a directory ending with .png |
/dir/[^.]* | match any file in a directory except dot files |
/dir/ | match a directory |
/dir/*/ | match any directory within /dir/ |
/dir/a*/ | match any directory within /dir/ starting with a |
/dir/*a/ | match any directory within /dir/ ending with a |
/dir/** | match any file or directory in or below /dir/ |
/dir/**/ | match any directory in or below /dir/ |
/dir/**[^/] | match any file in or below /dir/ |
/dir{,1,2}/** | match any file or directory in or below /dir/, /dir1/, and /dir2/ |
Now that we have our config file from above let's install it. bane will
automatically install the profile in a directory/etc/apparmor.d/containers/ and run apparmor_parser.
$ sudo bane sample.toml# Profile installed successfully you can now run the profile with# `docker run --security-opt="apparmor:docker-nginx-sample"`# now let's run nginx$ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx
Using custom AppArmor profiles has never been easier!
Now let's try to do malicious activities with the sample profile:
$ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bashroot@6da5a2a930b9:~# ping 8.8.8.8ping: Lacking privilege for raw socket.root@6da5a2a930b9:/# topbash: /usr/bin/top: Permission deniedroot@6da5a2a930b9:~# touch ~/thingtouch: cannot touch 'thing': Permission deniedroot@6da5a2a930b9:/# shbash: /bin/sh: Permission deniedroot@6da5a2a930b9:/# dashbash: /bin/dash: Permission denied
Sample dmesg output when using LogOnWritePaths:
[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser" [ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0 [ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0 [ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0 [ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0 [ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
For the above sample.toml the generated profile is available as docker-nginx-sample.
This was originally a proof of concept for what will hopefully become a native security profile in the Docker engine. For more information on this, see docker/docker#17142.
