I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug. Filing this on behalf of the user.
The user added the following to the base abstraction then reloaded policy:
ptrace peer=@{profile_name},
but had denials like this:
apparmor="DENIED" operation="ptrace" profile="docker-default" pid=15426 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
The user tried this rule too, but it didn't work:
ptrace peer=docker-default,
The user had to use 'ptrace,' instead to make the denials go away.
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.d/docker-default. As such, to modify the policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug. Filing this on behalf of the user.
The user added the following to the base abstraction then reloaded policy: profile_ name},
ptrace peer=@{
but had denials like this: "docker- default" pid=15426 comm="ps" requested_ mask="trace" denied_mask="trace" peer="docker- default"
apparmor="DENIED" operation="ptrace" profile=
The user tried this rule too, but it didn't work: default,
ptrace peer=docker-
The user had to use 'ptrace,' instead to make the denials go away.
Steps to reproduce: d/abstractions/ base to have: profile_ name}, 5039d725a41d: /# ps 5039d725a41d: /# exit
1. adjust /etc/apparmor.
ptrace peer=@{
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@
...
root@
$
Then observe the following denials on the host: 2.303:68) : apparmor="DENIED" operation="ptrace" profile= "docker- default" pid=27542 comm="ps" requested_ mask="trace" denied_mask="trace" peer="docker- default" 2.307:69) : apparmor="DENIED" operation="ptrace" profile= "docker- default" pid=27542 comm="ps" requested_ mask="read" denied_mask="read" peer="docker- default" 2.307:70) : apparmor="DENIED" operation="ptrace" profile= "docker- default" pid=27542 comm="ps" requested_ mask="read" denied_mask="read" peer="docker- default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(141538942
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(141538942
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(141538942
Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor. d/docker- default. As such, to modify the policy:
0. install docker.io and pull a trusty image # only has to be done once d/abstractions/ base to have the new ptrace rules d/docker d/docker /etc/apparmor. d/cache/ docker 5039d725a41d: /# ps 5039d725a41d: /# exit
1. update /etc/apparmor.
2. sudo stop docker.io
3. sudo apparmor_parser -R /etc/apparmor.
4. sudo rm -f /etc/apparmor.
5. sudo start docker.io
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@
...
root@
$
(Docker just added a way to specify an alternate existing profile in https:/ /docs.docker. com/reference/ run/#security- configuration).
Reference: https:/ /github. com/docker/ docker/ issues/ 7276