Docker loads AppArmor profile although AppArmor service is not enabled

[brauner]

Output of docker version:

Client:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.6.2
 Git commit:   9e83765
 Built:
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.6.2
 Git commit:   9e83765
 Built:
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 6
Server Version: 1.11.2
Storage Driver: btrfs
 Build Version: Btrfs v4.5.3+20160516
 Library Version: 101
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge null host
Kernel Version: 4.4.3-0.gedb49cc-default
Operating System: openSUSE Tumbleweed (20160709) (x86_64)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.58 GiB
Name: f22
ID: 7CRD:N73Y:7HWT:3SJG:UT5P:346M:6KYO:KAJK:TYBJ:NQXT:DZB4:7AH5
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
WARNING: No kernel memory limit support

Additional environment details (AWS, VirtualBox, physical, etc.):

physical

Steps to reproduce the issue:

1. Disable AppArmor service.
2. Place /etc/apparmor.d/ on read-only partition.
3. Try to start Docker daemon.

Describe the results you received.

level=fatal msg="Error starting daemon: AppArmor enabled on system but the docker-default profile could not be loaded.

Describe the results you expected:

Docker daemon starts successfully.

[brauner]

I'd be willing to submit a patch for this. I just wanted to hear your opinion first.

[brauner]

When the AppArmor service is not running the Docker daemon should probably not fail when it cannot create/load its default profile.

[thaJeztah]

/cc @cyphar as it looks like you're running a SUSE build of docker; not sure if that makes a difference here

[brauner]

@thaJeztah, @cyphar and I are on the same team. The build shouldn't make a difference.

[justincormack]

That sounds reasonable, I am not sure how easy it is, if you are lucky their is an error code that matches that case, and it is just a matter of passing through the underlying errors better. Otherwise it might be less easy...

[cyphar]

Yeah, so the issue here is that Docker's checks for whether AppArmor IsEnabled (this code is actually in runC, but that's a side issue) check that AppArmor is enabled in the kernel but then Docker will put its profile into /etc/apparmor.d which is managed by a userspace daemon. Unfortunately, there isn't really a nice way to check that the user-space daemon is running (aa-status --enabled doesn't always do the job). IMO there's a few ways of doing this:

1. Use apparmor_parser directly to add the profiles to the kernel without going through the userspace daemon. This means we don't ever have to care about what userspace is doing. The downside of this approach is that administrators can't change the profile, and the profile is essentially opaque to them (though I'm not sure that Docker actually allows that to happen, since I believe that Docker replaces the file on each boot).
2. Don't check whether the profile we've written was actually loaded. This would mean that it would be up to the admin to make sure that AppArmor does what they like (obviously we would emit warnings, but we wouldn't fail to start). The downside of this is that we now have a potential issue where an administrator might think Docker is having its AppArmor profile enforced while it actually isn't.
3. Take our chances and use aa-status --enabled if possible.
4. Really take our chances and presume that if there are no other profiles loaded, then AppArmor probably isn't enabled on the system. This is probably not an awesome idea.

[brauner]

aa-status isn't a nice option since it isn't available per default. On a lot of distributions it's part of some apparmor-utils package which is not necessarily installed. So I'd like to avoid this. My idea was to look into /sys/kernel/security/apparmor/profiles and look if this file is empty. If it is empty than we should be able to conclude that the AppArmor service isn't running. This is a bit fragile since this is no biconditional aka "service not running <-> /.../porfiles is empty" does not hold.

[thaJeztah]

@brauner oh! doing it again, sorry I forgot you were at SUSE I'll try to remember 😊

[cyphar]

@brauner That was option 4. 😉

[brauner]

@thaJeztah, ah, no worries ☺️.

[brauner]

@cyphar, I only read three of your suggestions. I suggested this yesterday on irc. 😄

[brauner]

So looking at the profiles file actually is what the apparmor service itself seems to do.

[justincormack]

Ugh. I don't know really. So there are essentially two different definitions of what "having apparmor" means, either a userspace definition or a kernel one. We need to pick one or the other, and then make sure the packaging and documentation reflects this.

In the case of 1, we can tweak it a bit, so that the flow is nicer, thats the kernel route. Users might be confused that they thought they had disabled apparmor but it still gets used by docker.

1. Is the userspace solution, we add more dependencies to the RPMs/documentation. Harder to use for some odd distro that does apparmor differently I guess.

I dont think 2 and 4 are acceptable. I think I have a preference for 1, but open to persuasion.

cc @jfrazelle

[brauner]

@justincormack, then 3 is out as well because aa-status again looks at profiles.