Unable to spin up a container with AppArmor Profile
skumars-uptycs opened this issue · comments
Description
Apparmor is running
# systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2024-07-02 12:28:19 UTC; 1min 0s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 805 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
Main PID: 805 (code=exited, status=0/SUCCESS)
Jul 02 12:28:19 santhosh-ubuntu20-131-22-230 systemd[1]: Starting Load AppArmor profiles...
Jul 02 12:28:19 santhosh-ubuntu20-131-22-230 apparmor.systemd[805]: Restarting AppArmor
Jul 02 12:28:19 santhosh-ubuntu20-131-22-230 apparmor.systemd[805]: Reloading AppArmor profiles
Jul 02 12:28:19 santhosh-ubuntu20-131-22-230 apparmor.systemd[869]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jul 02 12:28:19 santhosh-ubuntu20-131-22-230 systemd[1]: Finished Load AppArmor profiles.
#
# ls -ltr /sys/kernel/security/apparmor
total 0
-r--r--r-- 1 root root 0 Jul 2 12:28 revision
-r--r--r-- 1 root root 0 Jul 2 12:28 profiles
lr--r--r-- 1 root root 0 Jul 2 12:28 policy -> 'apparmorfs:[12637]'
drwxr-xr-x 13 root root 0 Jul 2 12:28 features
# cat /sys/module/apparmor/parameters/enabled
Y
#
Apparmor Packages
# dpkg -l | grep apparmor
ii apparmor 2.13.3-7ubuntu5.3 amd64 user-space parser utility for AppArmor
ii apparmor-easyprof 2.13.3-7ubuntu5.3 all AppArmor easyprof profiling tool
ii apparmor-notify 2.13.3-7ubuntu5.3 all AppArmor notification system
ii apparmor-profiles 2.13.3-7ubuntu5.3 all experimental profiles for AppArmor security policies
ii apparmor-profiles-extra 1.27 all Extra profiles for AppArmor Security policies
ii apparmor-utils 2.13.3-7ubuntu5.3 amd64 utilities for controlling AppArmor
ii libapparmor-perl:amd64 2.13.3-7ubuntu5.3 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.13.3-7ubuntu5.3 amd64 changehat AppArmor library
ii python3-apparmor 2.13.3-7ubuntu5.3 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.13.3-7ubuntu5.3 amd64 AppArmor library Python3 bindings
#
Reproduce
- Create an AppArmor Profile - docker-block-etc
- load the profile
- try to launch the container with the AppArmor profile
# cat /etc/apparmor.d/containers/docker-block-etc
#include <tunables/global>
profile docker-block-bin flags=(attach_disconnected, mediate_deleted) {
#include <abstractions/base>
file,
deny /etc/** wl,
}
# apparmor_parser -r -W /etc/apparmor.d/containers/docker-block-etc
# echo $?
0
# cat /sys/kernel/security/apparmor/profiles | grep -i block
docker-block-bin (enforce)
# docker run --rm -it --name block-bin --security-opt apparmor=docker-block-etc ubuntu:22.04 /bin/bash
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory: unknown.
#
Expected behavior
docker container should spin up with the specified AppArmor Profile
docker version
# docker version
Client: Docker Engine - Community
Version: 27.0.3
API version: 1.46
Go version: go1.21.11
Git commit: 7d4bcd8
Built: Sat Jun 29 00:02:29 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 27.0.3
API version: 1.46 (minimum version 1.24)
Go version: go1.21.11
Git commit: 662f78c
Built: Sat Jun 29 00:02:29 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.7.14
GitCommit: dcf2847247e18caba8dce86522029642f60fe96b
runc:
Version: 1.1.3
GitCommit: v1.1.3-0-g6724737f
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
# docker info
Client: Docker Engine - Community
Version: 27.0.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.15.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.28.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
scan: Docker Scan (Docker Inc.)
Version: v0.23.0
Path: /usr/libexec/docker/cli-plugins/docker-scan
Server:
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 11
Server Version: 27.0.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: dcf2847247e18caba8dce86522029642f60fe96b
runc version: v1.1.3-0-g6724737f
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
Kernel Version: 5.15.0-051500-generic
Operating System: Ubuntu 20.04.6 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.765GiB
Name: XXXXXXXXXXXXXXXXXXXXXXXX
ID: 435041d3-aaad-4a4f-9af5-c25b0dee2637
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: XXXXXXXXXXXXX
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
#Additional Info
No response