[apparmor] Apparmor and Docker - capabilities and network flags not working
werner_kienzler
werner_kienzler at protonmail.com
Mon May 23 06:42:25 UTC 2022
Hello,
I just sent you the profile to your private E-Mail. I don't want to clutter the Mailing List here and don't send it to the Mailing List.
Werner
Gesendet mittels einer sicheren E-Mail von ProtonMail.
------- Original Message -------
John Johansen <john.johansen at canonical.com> schrieb am Montag, 23. Mai 2022 um 5:11 vorm.:
> On 5/22/22 06:43, werner_kienzler wrote:
>
> > Hallo,
> >
> > > is docker using user namespaces, or network namespaces?
> > > Good question - I didn't enable "user namespace isolation" in the docker daemon (so I don't set "userns-remap" in "/etc/docker/daemon.json"), so I assume I'm using network namespaces? But I don't have deeper knowledge in this topic - should I run some test here or configure something?
>
>
> I need to do some digging on the docker side before I can say what configs you need to look at or tests for you to run.
>
> > > What is your kernel version? And do you have any none-upstream patches on it.
> > > I use an up to date kernel of my dirstro, which is 5.17.9. It is 100% vanilla and has no patches applied to it.
>
>
> Can you dump the loaded profile and send it to me? Basically
>
> sudo cat /sys/kernel/security/apparmor/policy/profiles/docker-nginx.*/raw_data > /tmp/raw_profile
>
>
> where * is going to match some unique number and send me the raw_profile file. This will let me pick out how the parser is compiling the profile which will help with figuring out why network deny is not working.
More information about the AppArmor
mailing list