Add daemon option to disable AppArmor integration

[ericchiang]

FEATURE REQUEST

Description

Currently, the dockerd binary always runs containers as docker-default if AppArmor is enabled on the host.

moby/daemon/exec_linux.go

Lines 30 to 54 in b4cb377

	if apparmor.IsEnabled() {
	var appArmorProfile string
	if c.AppArmorProfile != "" {
	appArmorProfile = c.AppArmorProfile
	} else if c.HostConfig.Privileged {
	// `docker exec --privileged` does not currently disable AppArmor
	// profiles. Privileged configuration of the container is inherited
	appArmorProfile = unconfinedAppArmorProfile
	} else {
	appArmorProfile = defaultAppArmorProfile
	}
	if appArmorProfile == defaultAppArmorProfile {
	// Unattended upgrades and other fun services can unload AppArmor
	// profiles inadvertently. Since we cannot store our profile in
	// /etc/apparmor.d, nor can we practically add other ways of
	// telling the system to keep our profile loaded, in order to make
	// sure that we keep the default profile enabled we dynamically
	// reload it if necessary.
	if err := ensureDefaultAppArmorProfile(); err != nil {
	return err
	}
	}
	p.ApparmorProfile = appArmorProfile
	}

https://github.com/opencontainers/runc/blob/44f221e2fce70dd6a75e7d67e9bdde36706aef79/libcontainer/apparmor/apparmor.go#L15-L21

As an administrator, I'd like to use AppArmor to restrict dockerd from performing certain operations on a portion of my fleet (developer machines). However, since dockerd always attempts to apply a custom profile (by writing to /proc/self/attr/exec), runc can always get around my restrictions by running containers as unconstrained. If I restrict writes to /proc/self/attr/exec, then runc will always fail to start containers.

Currently, I have two options:

• Compile dockerd myself with build tags and distributing different packages to different hosts (different docker packages for developer machines vs. servers)
• Hide /sys/kernel/security/apparmor from dockerd (nice and hacky).

As an alternative, I'd like to send a PR that adds a dockerd flag to disable AppArmor integration (similar to --selinux-enabled). Does this sound reasonable?

https://docs.docker.com/engine/reference/commandline/dockerd/

/cc @cyphar

[AkihiroSuda]

SGTM

[cyphar]

This could be implemented as an extension of #41442 though this is kind of a problem with our default security profiles in general -- you also can't disable seccomp entirely on a daemon-level. Maybe we need some kind of --insecure-disable-profiles=... flag? Something like --selinux-enabled (which I forgot existed) would work too, though I think it'd be ideal to make the flag seem scary (it should probably have the word insecure in it -- so --insecure-apparmor or something like that).

---

However, regarding your original issue with restricting dockerd -- in case you were not aware, there is a dockerd profile in contrib. It is more lax than what you appear to require, but AppArmor should allow you to only permit certain transitions using change_profile -- in fact that is what the profile does:

{{if ge .Version 209000}}
  # Transitions
  change_profile -> docker-*,
  change_profile -> unconfined,
{{end}}

You could restrict this to not allow unconfined containers -- this isn't done in the example profile because disabling this makes --privileged containers not work. Being able to write to /proc/self/attr/exec is not really a security issue if you have change_profile restrictions (as far as I can tell) because:

1. You can only ever write to your own /proc/$pid/attr/exec -- AppArmor doesn't allow you to change other programs' profiles.
2. exec will fail with permission denied if the profile transition is not permitted (AFAICS).

But please double-check that this is actually the case (AppArmor also supports profile nesting which would eliminate this issue as well but I'm not entirely sure whether you could convince Docker to use it).

I also hasten to point out that running containers without AppArmor profiles at all (but with the daemon restricted) makes those containers less secure because the containers are running with less restricted profiles by necessity.

[thaJeztah]

this is kind of a problem with our default security profiles in general -- you also can't disable seccomp entirely on a daemon-level

You mean "disabled by default" for containers, versus: do not allow containers to be started with seccomp/selinux/apparmor ?

Should we have options like;

• --seccomp-profile=disabled don't manage, disable seccomp handling, do not allow seccomp profiles to be used
• --seccomp-profile=unconfined use "unconfined" as a default, but allow custom profiles for a container, if specified
• --seccomp-profile=default (or not set): use the default profile as default
• --seccomp-profile=myprofile use custom profile "myprofile" as default

[ericchiang]

Thanks @cyphar for the information here. I was able to get the change_profile restrictions working. Couple of notes on that:

• runc is actually the process that needs change_profile restrictions, not dockerd.
• We're running all processes under a custom apparmor profile, so change_profile breaks the --privileged flag. That's kinda working as intended, but ideally users that supply --privileged would just get our default profile, not have docker attempt to run it as unconfined and fail.
• We'd have to ship a custom docker-default since we don't want docker to be able to load profiles (not a huge deal).

So the options that would work for me are:

• Implement @thaJeztah's suggestion to add a --seccomp-profile flag.
• Allow some way of making --privileged mean "don't attempt to change the containers profile" rather than "run as unconfined".

The --seccomp-profile seems like the least special-casing. Does that work for you @cyphar? Should I send a PR?

[thaJeztah]

Allow some way of making --privileged mean "don't attempt to change the containers profile" rather than "run as unconfined".

I'd rather not change what --privileged does. --privileged is a footgun, and unfortunately we're kinda stuck with it being there. Unfortunately the alternatives (manually specifying which capabilities to grant, syscalls, mounts, etc to allow) is too difficult for most users. A better options for that would be something like "entitlements" (which was proposed in #32801, but never lifted off).

Perhaps in the meantime, having a daemon option that would disable --privileged altogether (and thus require the user to (albeit cumbersome) specify what's needed) could be an option.

[ericchiang]

Sorry, I meant to say that I'd prefer adding --seccomp-profile instead of changing the way --privileged behaves.

Disabling --privileged through a daemon option isn't something we'd enable. We've got a very large fleet, and users expect docker to "just work" :) I'm mostly interested in preventing dockerd and runc from being able to modify AppArmor state.

[cyphar]

@ericchiang

I would be interested to see what profiles you end up with at the end of this, it might be useful to integrate some of them into the contrib configurations.

runc is actually the process that needs change_profile restrictions, not dockerd.

Right but that distinction only matters if you have a separate profile for /usr/bin/runc (which is a totally reasonable thing to do, but is not done by the contrib setup hence why it's omitted).

We're running all processes under a custom apparmor profile, so change_profile breaks the --privileged flag. [...] Disabling --privileged through a daemon option isn't something we'd enable. We've got a very large fleet, and users expect docker to "just work" :) I'm mostly interested in preventing dockerd and runc from being able to modify AppArmor state.

It seems (at least to me) a little bit dodgy to permit users to pass the --privileged flag but not actually running privileged containers when they're requested. Often --privileged containers do things like load kernel modules, manage hardware, or any number of other privileged operations -- these operations are going to fail anyway when the user tries them later (so the container will fail regardless, the question is whether it will fail upfront or later on in the middle of some operation). But that's just my two cents based on what you've said -- just thought it was worth mentioning.

I do wonder if you can force AppArmor to override the profile change by doing something like change_profile /var/lib/docker/** -> docker-default (I don't know how change_profile overrides interact with /proc/self/attr/exec changes off the top of my head). You can also force a profile change at pivot_root (with the pivot_root directive) and that might also override the /proc/self/attr/exec override -- again, I'm not sure what the interaction is. And as I said above, the worst case is you can try to force Docker to create nested profiles but I'm not sure how well that works in practice.

While I think --privileged is quite insidious in many respects, it's a necessary evil and I do wonder whether having a way to make it "no-so---privileged" is going to cause more trouble than it's worth...

[ericchiang]

The profile transition at pivot_root sounds really interesting, I'd have to think a bit about how we'd use that.

Long-term, our goal is to prevent dockerd from being able to modify AppArmor state or trivially get around our controls. That's something we'll have to experiment with and work with our users to achieve. If we end up with something that works, I think that'd be valuable to contribute back to contrib!

Short-term, I think we'd either need to break the --privileged flag or disable AppArmor integration to move forward. We can disable AppArmor integration with AppArmor itself:

profile dockerd /usr/bin/dockerd {
    // ...
    deny /sys/kernel/security/apparmor/**,
}

So to circle back to the original ask, would others find it useful for us to add a proper flag to the daemon to manage the level of LSM integration?

[cpuguy83]

You can also build dockerd without the apparmor build tag.
I realize this is painful if you aren't already building it.

[ericchiang]

Okay, so it sounds like there are workarounds for this issue and corresponding effort in #41442. I'm going to go ahead and close this out.

cyphar@ feel free to CC me on any AppArmor related changes if you'd like feedback. And as we get further in our experiments, I'll look to see if we can add anything to contrib.