Docker inspect "AppArmorProfile" field now shows "docker-default" when AppArmor is enabled and no other profile was defined

[RobSkye]

This pull request fixes #25935 showing "AppArmorProfile" in docker inspect filled with "docker-default" when AppArmor is enabled and no other profile was defined using --security-opt.

[thaJeztah]

@RobSkye did you close this on purpose, or by accident?

[RobSkye]

By Accident...laptops and beds are bad combination....I'm editing the description too.

[thaJeztah]

GitHub buttons are also a disaster at times, haha, no worries, thanks!

[thaJeztah]

Guess this fixes #25935

[RobSkye]

Yes.

[tonistiigi]

Please squash the commits as well.

[tonistiigi]

there is const defaultApparmorProfile

[tonistiigi]

Also need to handle --privileged. See https://github.com/docker/docker/blob/master/daemon/oci_linux.go#L709-L714

Even with privileged fixed this is a slight behavioral change. If apparmor is enabled after container was created this var will not change. I think if this is only called on inspecting single container we can lazy load the value like we do in container startup.

[RobSkye]

Even with privileged fixed this is a slight behavioral change. If apparmor is enabled after container was created this var will not change. I think if this is only called on inspecting single container we can lazy load the value like we do in container startup.

Yes, I agree on that. Maybe docker inspect is not the best place to show security information because one thing is the definition of the security you want and the other the security you really have in place at execution time.

Having said that, we can check in daemon.containerStart if the container apparmor options are compatible with the actual execution environment and if not, change the value to unconfined.

I'm going to commit and push this ASAP and..I will squash the commits, sorry about that :p

[thaJeztah]

@RobSkye can you address @tonistiigi's comments, and squash your commits?

[RobSkye]

With the latest push, if you change apparmor configuration and apparmor completely disappear from the dockerhost (I have some comments about this below) the AppArmorProfile is updated with the expected configuration but still there is some issues we have to address:

1. If you do an inspect after an apparmor change and before the start of the container, still shows the old AppArmorProfile.
2. If you create the container with apparmor disabled but with --security-opt apparmor=someprofile, when you enable apparmor in dockerhost, AppArmorProfile will be "docker-default".
3. Apparmor status is checked ONLY checking the existence of /sys/kernel/security/apparmor and is not a good method, you can have apparmor completely shutdown and still that directory exists. see https://github.com/docker/docker/blob/master/pkg/sysinfo/sysinfo_linux.go#L57
4. You can run a container with --security-opt apparmor=someprofile and someprofile will be set in AppArmorProfile whether or not exists as an valid apparmor profile.

I don't know if addressing this issues are in the scope of the main issue. I' have the feeling that implementing a real-time check of the security configuration of containers will require more than a "slight behavioral change".

I have some ideas of adding security information in the "docker ps" command and a more detailed "docker security" showing all the security settings of a container.

I look forward to your feedback.

[tonistiigi]

Don't understand this. Why is unconfined profile switched back to default.

[RobSkye]

That is actually an error. I was trying to restore "docker-default" to the unconfined containers if the containers were created after apparmor was enabled but i didn't notice the effect of enabling apparmor to the containers with --security-opt app-armor:unconfined.

I'm gonna think on how manage this correctly.

[RobSkye]

I did a little refactor of the patch in the last commit. Now inspect always shows an empty AppArmorProfile when the container is stopped ( maybe empty is not the best value but this can be changed easily to undefined, unconfined or something more clarifying).

The correct value of AppArmorProfile is set at container startup using the actual status of apparmor, the privileged flag and the configured apparmor settings using --security-opt.

[LK4D4]

@RobSkye I'm not sure that I like an idea of clearing profile on stopped containers - it's breaking change, and indeed it might be useful for debugging. Otherwise, the patch is ok for me.

[mlaventure]

ping @RobSkye , needs a rebase.

I personally don't think showing the previous apparmor profile when inspecting old containers is an issue to be fixed otherwise. It properly reflect how this container was run.

[RobSkye]

Ok, i'll delete that part and rebase/commit.

[thaJeztah]

ping @tonistiigi @LK4D4 PTAL what's the status on this one?

[tonistiigi]

I'd call this saveApparmorConfig

[tonistiigi]

This shows unconfined when apparmor is disabled.

[RobSkye]

Yes, do you want to show "Disabled" instead?

[tonistiigi]

I think empty would do. unconfined implies that special privileged profile was applied(at least to me).

[LK4D4]

ping @RobSkye
Would you mind to fix Tonis' comments? Then we can merge

[LK4D4]

LGTM
ping @tonistiigi

[tonistiigi]

LGTM