Impossible to see contents of AppArmor Profile "docker-default"

[spawnflagger]

Description
I would like to be able to see the plaintext contents of the AppArmor profile "docker-default", for debugging/audit purposes.

This bug/feature-request is related to #24786 (fix implemented in #26518), and to a lesser extent #26823, #25935 (claimed to be fixed in #27083, however in my 17.04 install 'docker-inspect' still doesn't show the new behavior)

Prior to Docker 1.13, it stored the AppArmor Profile in /etc/apparmor.d/docker-default (which was overwritten when Docker started, so users couldn't modify it. Docker devs added the --security-opt to let users specify a profile. After v1.13, Docker now generates docker-default in tmpfs, uses apparmor_parser to load it into kernel, then deletes the file. All of the AppArmor utils (aa-* on Ubuntu) expect a file parameter, and /sys/kernel/security/apparmor/policy/profiles/* only has cached binaries.

In discussion of #24786, @cyphar mentions this being opaque, and I agree.

Steps to reproduce the issue:

1. docker run a container (without --privileged)
2. aa-status to confirm "docker-default" profile is being enforced
3. try to find what "docker-default" profile actually is, and the Policy/Policies being enforced

Describe the results you received:
failed to find information in step 3.

Describe the results you expected:
expected to find exactly what is being enforced. (without reading the source code and running a Go template parser)

Additional information you deem important (e.g. issue happens only occasionally):
This came up as I was trying to debug a Docker container (Rails application based on phusion/passenger-ruby) because kern.log/syslog had excessive AppArmor DENIED ptrace for a 'ps', which according to Docker documentation should be allowed in the default profile.

I apologize in advance, if there is already some way to get this info. (I'm new to Docker and AppArmor, but old to Linux/Solaris/AIX/BSD/etc)

Possible solution/suggestions:

• restore /etc/apparmor.d/default-docker, and only change it during install time (dpkg and rpm can handle this, or check differences as part of your auto-setup script). If the user/admin changes that file, then load their modified file instead of overwriting it. (If someone has /etc/ mounted read-only, they should be expected to remount rw during install/update of software.)
• instead of 'tmpfs', store the docker-default file somewhere under /var/run/docker/ (and don't delete it while the containers are running). Then docker inspect and aa-status can reference the path to the profile, which can easily be seen by those who care.
• I could submit a feature request to the AppArmor folks requesting a config-file directive for their parser, such that it always caches the plaintext versions of all profiles.

Output of docker version:

Client:
 Version:      17.04.0-ce
 API version:  1.28
 Go version:   go1.7.5
 Git commit:   4845c56
 Built:        Mon Apr  3 18:07:42 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.04.0-ce
 API version:  1.28 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   4845c56
 Built:        Mon Apr  3 18:07:42 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 3
 Running: 3
 Paused: 0
 Stopped: 0
Images: 47
Server Version: 17.04.0-ce
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 71
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary:
containerd version: 422e31ce907fd9c3833a38d7b8fdd023e5a76e73
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-75-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.859GiB
Name: [redacted]
ID: M2RC:GOLE:6JNO:CRMB:XEO7:FBBN:PNYC:BEUQ:PZUH:L7FN:SZI6:4JPR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Http Proxy: [redacted]
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):
VM/Instance on OpenStack (13.1)

[thaJeztah]

/cc @n4ss @justincormack wdyt? Perhaps an "export" option to get the profile?

fwiw, I don't think that this is desirable;

If the user/admin changes that file, then load their modified file instead of overwriting it.

As it no longer allows updating the profile when docker is updated, and also could mean that a modified profile is loaded without the user being aware of it

[tych0]

Yes, it is quite annoying that the apparmor utilities require a path. FWIW,

- instead of 'tmpfs', store the docker-default file somewhere under /var/run/docker/ (and don't delete it while the containers are running). Then docker inspect and aa-status can reference the path to the profile, which can easily be seen by those who care.

seems like the best option to me (and then simply always overwrite it before loading).

We could support putting custom profile content in if we generate one profile per container. IIRC, this also has some small security benefit, although I don't remember exactly what.

[cyphar]

After v1.13, Docker now generates docker-default in tmpfs, uses apparmor_parser to load it into kernel, then deletes the file. All of the AppArmor utils (aa-* on Ubuntu) expect a file parameter, and /sys/kernel/security/apparmor/policy/profiles/* only has cached binaries.

For context, the reason we no longer write to /etc/apparmor.d is because certain distributions want to make the rootfs read-only. A specific instance of this is SUSE's Kubernetes distribution (CaaSP). The reason I made Docker delete the file after generating it is so that we don't waste space in /tmp (and if we made assumptions about the file not changing, that feels quite dodgy and would require us to keep a static path in /tmp which is fine but unnecessary IMO).

However, what would be good is if we improve the AppArmor profile code in a similar way to the seccomp profile code -- that there is a configuration file in /etc/docker which describes the default profile. That way it won't be opaque but also won't require us to keep around temporary copies of the profile. WDYT?

[spawnflagger]

Hi guys, thanks for considering this.

If the user/admin changes that file, then load their modified file instead of overwriting it.

As it no longer allows updating the profile when docker is updated, and also could mean that a modified profile is loaded without the user being aware of it

is because certain distributions want to make the rootfs read-only

There is a fundamental difference between install time and run time. During install time, it's the root user that is modifying the system, and it's necessary (for most daemon-type software) to make changes in /etc. Run time (including /etc/init.d/something start, reboots, service start something, systemctl up) - those should never need to write anything to /etc, only read from it. All of those runtime record-keeping changes should be somewhere under /var (such is common with PID files).

There are many packages on linux where the manager (dpkg/apt, rpm/yum) will prompt the admin if there is an updated config file and it detects difference on the filesystem- usually something like: Keep/Replace/Show Diff? [default Keep]: and then it puts the new file in the same folder with an extra extension like .rpmnew or .dpkg-dist. (the interactive prompts can be overridden via extra parameters)
Here's a Debian article with more details: https://raphaelhertzog.com/2010/09/21/debian-conffile-configuration-file-managed-by-dpkg/

I used the Docker install script via curl -sSL https://get.docker.com/ | sh, and that could also be modified to behave like dpkg/rpm, at least for conf-files.

that there is a configuration file in /etc/docker which describes the default profile

If it's in /etc (either /etc/docker/ or /etc/apparmor.d/) then if the user makes changes to that default, then those changes should be honored by docker, and that modified file should be loaded, rather than generating one from an internal template. If you want something that is purely informational, then it should be part of the documentation (installation directory varies by distro & package), or a man page (although this is easy to get out-of-sync with reality - I prefer just looking at the file that's actually being used in /etc)

so that we don't waste space in /tmp

These files are only a few kB, so I'm not concerned about the size; however many of them piling up over time can get messy. /tmp also implies "safe to delete, as long as no process has it open (via lsof)"

[cyphar]

@spawnflagger

There is a fundamental difference between install time and run time. During install time, it's the root user that is modifying the system, and it's necessary (for most daemon-type software) to make changes in /etc.

I'm aware of that (and I also am aware of how distributions deal with configuration files). What I'm saying is that Docker used to write to /etc/apparmor.d during run time (which is what you mentioned in the original issue description as well), which is why it doesn't do that anymore (and the change was necessary because it used to be the case that Docker would attempt to write to paths such as /etc/apparmor.d/ that certain setups had set to read-only).

If it's in /etc (either /etc/docker/ or /etc/apparmor.d/) then if the user makes changes to that default, then those changes should be honored by docker, and that modified file should be loaded, rather than generating one from an internal template.

My suggestion was that we don't have an internal template anymore and that we make it external (and store it in /etc/docker/apparmor.conf or something). This is similar to how the seccomp profile used to be internal and is now an external file (/etc/docker/seccomp.json IIRC) -- see issue #26276. Would this work for you?

These files are only a few kB

Sure but if you have to regenerate a new profile each time it's not loaded in the system, and then if you combine that with lots of Docker reboots on a dev machine (and certain distributions don't clear /tmp on reboot) things start to get a bit hairy. All of that being said, I would prefer if we solve a more general problem here (make the internal profile more visible) rather than trying to retrofit introspection (write the profile to some temporary directory that only people who have read this issue would know about).

[spawnflagger]

@cyphar

My suggestion was that we don't have an internal template anymore and that we make it external (and store it in /etc/docker/apparmor.conf or something). This is similar to how the seccomp profile used to be internal and is now an external file (/etc/docker/seccomp.json IIRC) -- see issue #26276. Would this work for you?

I think that would be a good step just for the sake of consistency between how Docker handles apparmor and seccomp.

But consider the scenario where there's a bug in the template file or parser- what gets loaded in AppArmor might not be what was intended, and there'd still be no way of knowing what's actually loaded in AppArmor policy (once removed from tmpfs, no way to see plaintext). Having the file in /var/run/docker/some_per-container_subdir/aa.profile then aa-status would report the full path, which can be checked. And it would automatically be deleted when the container is killed.

[aauren]

Is there any further progress on this issue? I have to say it's incredibly frustrating when some part of the apparmor profile doesn't work correctly, because as this issue suggests there is absolutely no way to view the profile that Docker is using. Furthermore, all of the apparmor utilities require the original text of the profile in order to modify them in any way.

We recently ran into: #36809 and because there is no profile accessible to me, the only way that I have found to kill the containers that are spun up on affected hosts is to redeploy the system.

At the very least an export option would be handy, but if not that, then I would agree with what @spawnflagger suggested, that the file should be kept in tmpfs while the container is running and that the full location of of the applied apparmor profile be logged by docker so that it can easily be tracked down and interrogated.

[n4ss]

@aauren apparmor & seccomp profiles generation is being heavily reworked, but in the meantime I agree that having it stored in /var/run/docker before apparmor loads it is a good thing.

In the meantime, I guess you can hack it by wrapping apparmor_parser so that when it's called with apparmor_parser -Kr [profile] you store [profile] then forward to the real command.

[cyphar]

@aauren I would argue that having access to the output profile (which has already been loaded by Docker) will not be as useful as having access to the input profile (which will be loaded by Docker in all future invocations) for solving problems like #36809 -- which just requires a one-line fix to the internal AppArmor profile.

I am willing to work on having an /etc/docker/apparmor.conf (or whatever the file will be called), as I think it would solve most of the issues. If you really would like to know what the output looks like we could make it something like /etc/docker/apparmor.conf.in (for the template) and then /var/run/docker/apparmor.conf (for the output).

[aauren]

@cyphar Thanks for your quick reply!

I think that it would be best to have both. It would be nice to have access to the template so that you could fix problems that you found in a way that docker would actually use them going forward, but it would also be nice to have access to the rendered output of the template (the text that was sent to apparmor) so that you could manipulate apparmor directly.

Almost every interaction that you have with apparmor is contingent on having the profile file that was fed into apparmor. Even tools like aa-logprof, as I found out today, won't work unless they have access to the existing profile file that was used to construct the enabled profile.

So for now I would take whatever you guys are willing to give me, but ultimately it would be nice to have access to both the template file and the rendered output that docker sent to apparmor.

[aauren]

@cyphar Just following up with this, do you think that this is something that is relatively easy and could be done soon? Or should we pursue a wrapper script like @n4ss suggested if we needed this functionality some time this week?