Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge or take advantage of Docker's default apparmor profile #9

Open
3 tasks
achimnol opened this issue Jan 24, 2019 · 0 comments
Open
3 tasks

Merge or take advantage of Docker's default apparmor profile #9

achimnol opened this issue Jan 24, 2019 · 0 comments
Assignees
@tlqaksqhr
Labels
enhancement

Comments

@achimnol
Copy link
Member

achimnol commented Jan 24, 2019
edited
Loading

By a recent investigation of unexpected jail failures by @tlqaksqhr, we finally identified that the root cause was intermix of docker-default apparmor profile and our jail's seccomp+ptrace.
(Yes, I thought apparmor is deprecated but it has been still being used!)

References:

Since apparmor simplifies some parts of our jail policy implementation, such as path-based access controls, let's combine its advantage with our jail.

  • Could we translate the path-based access control part of policy.yml to apparmor profile? Or, could we do the reverse (importing the docker-default apparmor profile to the base policy.yml)?
    • If we use apparmor in addition to jail:
      • Modify the agent to auto-generate & load the apparmor profile from the container's policy.yml when starting containers, and unload the profile when containers terminate. (one profile per container)
    • If we merge apparmor profile into jail:
      • Set apparmor=unconfined security options when starting containers in the agents.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tlqaksqhr tlqaksqhr

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@achimnol @tlqaksqhr