Merge or take advantage of Docker's default apparmor profile
achimnol opened this issue · comments
By a recent investigation of unexpected jail failures by @tlqaksqhr, we finally identified that the root cause was intermix of docker-default apparmor profile and our jail's seccomp+ptrace.
(Yes, I thought apparmor is deprecated but it has been still being used!)
References:
Since apparmor simplifies some parts of our jail policy implementation, such as path-based access controls, let's combine its advantage with our jail.
- Could we translate the path-based access control part of
policy.yml
to apparmor profile? Or, could we do the reverse (importing the docker-default apparmor profile to the basepolicy.yml
)?- If we use apparmor in addition to jail:
- Modify the agent to auto-generate & load the apparmor profile from the container's
policy.yml
when starting containers, and unload the profile when containers terminate. (one profile per container)
- Modify the agent to auto-generate & load the apparmor profile from the container's
- If we merge apparmor profile into jail:
- Set
apparmor=unconfined
security options when starting containers in the agents.
- Set
- If we use apparmor in addition to jail: