知识图谱>> bane>> 返回
项目作者: genuinetools

项目描述 :
Custom & better AppArmor profile generator for Docker containers.
高级语言: Go
项目地址: git://github.com/genuinetools/bane.git
创建时间: 2015-10-08T23:45:49Z
项目社区:https://github.com/genuinetools/bane
开源协议:MIT License
下载


bane

make-all
make-image
GoDoc
Github All Releases

AppArmor profile generator for docker containers. Basically a better AppArmor
profile, than creating one by hand, because who would ever do that.

“Reviewing AppArmor profile pull requests is the bane of my existence”

  • Jess Frazelle

bane

Table of Contents

Installation

Binaries

For installation instructions from binaries please visit the Releases Page.

Via Go

  1. $ go get github.com/genuinetools/bane

Usage

  1. $ bane -h
  2. bane -  Custom AppArmor profile generator for docker containers
  4. Usage: bane <command>
  6. Flags:
  8.   -d            enable debug logging (default: false)
  9.   -profile-dir  directory for saving the profiles (default: /etc/apparmor.d/containers)
  11. Commands:
  13.   version  Show the version information.

Config File

sample.toml is a AppArmor sample config for nginx in a container.

File Globbing

Glob Example Description
/dir/file match a specific file
/dir/* match any files in a directory (including dot files)
/dir/a* match any file in a directory starting with a
/dir/*.png match any file in a directory ending with .png
/dir/[^.]* match any file in a directory except dot files
/dir/ match a directory
/dir/*/ match any directory within /dir/
/dir/a*/ match any directory within /dir/ starting with a
/dir/*a/ match any directory within /dir/ ending with a
/dir/** match any file or directory in or below /dir/
/dir/**/ match any directory in or below /dir/
/dir/**[^/] match any file in or below /dir/
/dir{,1,2}/** match any file or directory in or below /dir/, /dir1/, and /dir2/

Installing a Profile

Now that we have our config file from above let’s install it. bane will
automatically install the profile in a directory
/etc/apparmor.d/containers/ and run apparmor_parser.

  1. $ sudo bane sample.toml
  2. # Profile installed successfully you can now run the profile with
  3. # `docker run --security-opt="apparmor:docker-nginx-sample"`
  5. # now let's run nginx
  6. $ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx

Using custom AppArmor profiles has never been easier!

Now let’s try to do malicious activities with the sample profile:

  1. $ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bash
  2. root@6da5a2a930b9:~# ping 8.8.8.8
  3. ping: Lacking privilege for raw socket.
  5. root@6da5a2a930b9:/# top
  6. bash: /usr/bin/top: Permission denied
  8. root@6da5a2a930b9:~# touch ~/thing
  9. touch: cannot touch 'thing': Permission denied
  11. root@6da5a2a930b9:/# sh
  12. bash: /bin/sh: Permission denied
  14. root@6da5a2a930b9:/# dash
  15. bash: /bin/dash: Permission denied

Sample dmesg output when using LogOnWritePaths:

  1. [ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser"
  2. [ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
  3. [ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
  4. [ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
  5. [ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
  6. [ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
  7. [ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
  8. [ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
  9. [ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
  10. [ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

What does the generated profile look like?

For the above sample.toml the generated profile is available as docker-nginx-sample.

Integration with Docker

This was originally a proof of concept for what will hopefully become a native
security profile in the Docker engine. For more information on this, see
docker/docker#17142.