docker inspect contains no indication of default AppArmor profile

[rvandegrift]

Docker is setting the default AppArmor profile, but docker inspect claims otherwise:

$ docker inspect container
[
    {
        ...
        "AppArmorProfile": "",
        "SecurityOpt": [],
        "State": {
            "Pid": 14235,
            ...
        }
        ...
    }
]
$ sudo aa-status
...
18 processes are in enforce mode.
     ...
     docker-default (14235)

If I explicitly set the default with --security-opt apparmor:docker-default, then docker inspect is correct.

Output of docker version:

Client:
 Version:      1.12.0
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   8eab29e
 Built:        Thu Jul 28 22:11:10 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.0
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   8eab29e
 Built:        Thu Jul 28 22:11:10 2016
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 13
 Running: 10
 Paused: 0
 Stopped: 3
Images: 14
Server Version: 1.12.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 127
 Dirperm1 Supported: true
Logging Driver: awslogs
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null host bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-31-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.795 GiB
Name: moon-04643584d28c0ac31
ID: TWQW:NLZA:6TPG:DWU6:3MJZ:OETI:VE67:D5M4:6JWY:I2HJ:PCYQ:NB7T
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
 127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.):
AWS

Steps to reproduce the issue:

1. Run a container on an AppArmor enabled host, without specifying a profile.
2. Run docker inspect and compare to aa-status

Describe the results you received:
docker inspect does not include information about AppArmor profiles if the default profile is applied by docker.

Describe the results you expected:
docker inspect should always include the AppArmor profile, even if it's just the default.

Additional information you deem important (e.g. issue happens only occasionally):

[justincormack]

Currently this reflects what the client sends, where blank means apply the default if apparmor is enabled else do nothing, while "docker-default" means apply the default profile and fail if there is no apparmor. I agree this is a bit confusing, but I am not sure we want to change it, maybe just change the documentation?

[rvandegrift]

That'd be disappointing - I don't see how the current behavior makes sense. This prevents auditing apparmor profiles for containers which have the default. This is a pretty common case, so it'd be nice to not misreport what's going on.

Are the reasons for not wanting to make the change just time & priority, or is there a deeper issue lurking? Would a patch be considered? It's possible I might be able to get some time to fix.

[justincormack]

I think a patch would be considered, yes. Its possible it might need an additional field for applied profile, rather than changing the current one I guess.

[fntlnz]

@justincormack I see that in https://github.com/docker/docker/blob/master/daemon/create.go#L99 (and also in start but it's deprecated) there's a call to daemon.setSecurityOptions which at some point calls the parseSecurityOpt which seems responsible for setting the AppArmorProfile for the container.

By default runc does use the default profile of the creating process if I understand correctly
https://github.com/opencontainers/runc/blob/c92d10586328b3ce0db1b6d405463481c8fb0df6/utils_linux.go#L72

Said that do you think that is a good idea to just explicit the metadata at container creation somewhere after daemon.setSecurityOptions ? There's a better way to achieve this?

[RobSkye]

Or in daemon.setSecurityOptions because, with that name, you expect that function to effectively set that.

container.AppArmorProfile can be checked after daemon.parseSecurityOptfor an empty value and then, check if apparmor is enabled in order to fill the metadata with "docker-default".

@rvandegrift are you already working on this?

[rvandegrift]

@RobSkye - nope, haven't had any time.

[RobSkye]

#dibs

[RobSkye]

Searching how to check if apparmor is enabled i found that the Daemon struct don't have an "ApparmorEnabled" boolean like seccomp has so, the only way to check in daemon.SetSecurityOptions if AppArmor is enabled is invoking sysInfo := sysinfo.New(true) and then check the sysInfo.AppArmor bool.

I think is better to add an ApparmorEnabled bool in the Daemon struct. It's ok?

[thaJeztah]

ping @justincormack ^^

[justincormack]

@RobSkye sounds reasonable yes.