Docker inspect "AppArmorProfile" field now shows "docker-default" when AppArmor is enabled and no other profile was defined #27083
Docker inspect "AppArmorProfile" field now shows "docker-default" when AppArmor is enabled and no other profile was defined #27083tonistiigi merged 1 commit intomoby:masterfrom RobSkye:25935-show-apparmor-default-profile-in-docker-inspect
Conversation
RobSkye
changed the title
|
@RobSkye did you close this on purpose, or by accident? |
|
By Accident...laptops and beds are bad combination....I'm editing the description too. |
|
GitHub buttons are also a disaster at times, haha, no worries, thanks! |
|
Guess this fixes #25935 |
|
Yes. |
RobSkye
changed the title
tonistiigi
left a comment
tonistiigi
left a comment
There was a problem hiding this comment.
Please squash the commits as well.
daemon/container_linux.go
Outdated
There was a problem hiding this comment.
there is const defaultApparmorProfile
There was a problem hiding this comment.
Also need to handle --privileged. See https://github.com/docker/docker/blob/master/daemon/oci_linux.go#L709-L714
Even with privileged fixed this is a slight behavioral change. If apparmor is enabled after container was created this var will not change. I think if this is only called on inspecting single container we can lazy load the value like we do in container startup.
There was a problem hiding this comment.
Even with privileged fixed this is a slight behavioral change. If apparmor is enabled after container was created this var will not change. I think if this is only called on inspecting single container we can lazy load the value like we do in container startup.
Yes, I agree on that. Maybe docker inspect is not the best place to show security information because one thing is the definition of the security you want and the other the security you really have in place at execution time.
Having said that, we can check in daemon.containerStart if the container apparmor options are compatible with the actual execution environment and if not, change the value to unconfined.
I'm going to commit and push this ASAP and..I will squash the commits, sorry about that :p
|
@RobSkye can you address @tonistiigi's comments, and squash your commits? |
|
With the latest push, if you change apparmor configuration and apparmor completely disappear from the dockerhost (I have some comments about this below) the AppArmorProfile is updated with the expected configuration but still there is some issues we have to address:
I don't know if addressing this issues are in the scope of the main issue. I' have the feeling that implementing a real-time check of the security configuration of containers will require more than a "slight behavioral change". I have some ideas of adding security information in the "docker ps" command and a more detailed "docker security" showing all the security settings of a container. I look forward to your feedback. |
daemon/container_linux.go
Outdated
There was a problem hiding this comment.
Don't understand this. Why is unconfined profile switched back to default.
There was a problem hiding this comment.
That is actually an error. I was trying to restore "docker-default" to the unconfined containers if the containers were created after apparmor was enabled but i didn't notice the effect of enabling apparmor to the containers with --security-opt app-armor:unconfined.
I'm gonna think on how manage this correctly.
|
I did a little refactor of the patch in the last commit. Now inspect always shows an empty AppArmorProfile when the container is stopped ( maybe empty is not the best value but this can be changed easily to undefined, unconfined or something more clarifying). The correct value of AppArmorProfile is set at container startup using the actual status of apparmor, the privileged flag and the configured apparmor settings using --security-opt. |
|
@RobSkye I'm not sure that I like an idea of clearing profile on stopped containers - it's breaking change, and indeed it might be useful for debugging. Otherwise, the patch is ok for me. |
|
ping @RobSkye , needs a rebase. I personally don't think showing the previous apparmor profile when inspecting old containers is an issue to be fixed otherwise. It properly reflect how this container was run. |
|
Ok, i'll delete that part and rebase/commit. |
GordonTheTurtle
added
dco/no
|
ping @tonistiigi @LK4D4 PTAL what's the status on this one? |
daemon/container_linux.go
Outdated
There was a problem hiding this comment.
I'd call this saveApparmorConfig
daemon/container_linux.go
Outdated
There was a problem hiding this comment.
This shows unconfined when apparmor is disabled.
There was a problem hiding this comment.
Yes, do you want to show "Disabled" instead?
There was a problem hiding this comment.
I think empty would do. unconfined implies that special privileged profile was applied(at least to me).
|
ping @RobSkye |
…AppArmor is enabled or not. It is set in NewDaemon using sysInfo information. Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com> Added an apparmorEnabled boolean in the Daemon struct to indicate if AppArmor is enabled or not. It is set in NewDaemon using sysInfo information. Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com> gofmt'd Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com> change the function name to something more adequate and changed the behaviour to show empty value on an apparmor disabled system. Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com> go fmt Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
|
LGTM |
6 participants
This pull request fixes #25935 showing "AppArmorProfile" in docker inspect filled with "docker-default" when AppArmor is enabled and no other profile was defined using --security-opt.