Support `nerdctl run --security-opt=XXX`

[soharaki]

Add the security options to the nerdctl run.

• [x] Seccomp security profiles for Docker

• [x] AppArmor security profiles for Docker

[AkihiroSuda]

Seccomp was implemented in #12, AppArmor was implemented in 3e9a754ea082a5fc8fee8c91b265231348f6e03b .

We also need to support SELinux (--security-opt label)

[thediveo]

@AkihiroSuda mentions that apparmor support has been implemented. Unfortunately, deploying my lxkns discovery service using the existing docker-compose.yaml fails, seemingly the security option from the composer file doesn't get applied?

Admittedly, this might have been composed in infosec theory hell 😁:

version: '2.4'
services: 
    lxkns:
        image: lxkns:latest
        read_only: true
        build: 
            context: ../..
            dockerfile: deployments/lxkns/Dockerfile
        command:
            - "/lxkns"
            - "--initialcgroup"
            - "--docker=unix:///proc/1/root/run/docker.sock"
            - "--containerd=/proc/1/root/run/containerd/containerd.sock"
        ports:
            - "5010:5010"
        user: "65534"
        security_opt:
            # apparmor only accepts a profile name, which must have been loaded
            # by the system admin. You might want to use the lxkns-apparmor
            # profile to be found in this directory.
            - apparmor:unconfined #- apparmor:lxkns
            # Please note that Docker's default container seccomp profile is
            # adaptive: it allows all those syscalls for which the process has
            # matching capabilities. In consequence, this Docker default seccomp
            # profile thus does not interfere with lxkns. However, we still want
            # to slightly curb the unneeded parts of the powers bestowed upon us
            # by especially CRAP_SYS_ADMIN and CAP_SYS_PTRACE...
            - seccomp:deployments/lxkns/lxkns-seccomp.json
        cap_drop:
            - ALL
        cap_add:
            - SYS_ADMIN       # change namespaces
            - SYS_CHROOT      # change mount namespaces
            - SYS_PTRACE      # access nsfs namespace information
            - DAC_READ_SEARCH # for fully discovering bind-mounted namespaces
            - DAC_OVERRIDE    # for accessing the containerd API socket
        # We need the full PID view for correct scanning.
        pid: host

• The composer file specifies to unconfine the deployed service w.r.t. AppArmor.
• My service triggers this audit message, indicating that nerdctl's default AppArmor profile still gets applied: [40708.544657] audit: type=1400 audit(1627283465.367:1019): apparmor="DENIED" operation="ptrace" profile="nerdctl-default" pid=1147581 comm="lxkns" requested_mask="read" denied_mask="read" peer="unconfined"
• The Seccomp profile shouldn't be of any concern, as there are no Seccomp-related audit messages and the service-specific profile actually is more restrictive than the default profile (well, should be unless nerdctl has put a skeleton into the Seccomp closet).

Shouldn't nerdctl compose unconfine my service?

[thediveo]

(oh, and SELinux support for setting the context (elements) would be great either!)

[alegrey91]

Hi guys, any news about SELinux support?

[stmcginnis]

Related to https://github.com/runfinch/finch/issues/192, I think it would be great if nerdctl could support SELinux, but also ignore anything settings on macOS where it would not be applicable.

[arnaldo2792]

I'm interested in implementing this @AkihiroSuda, is it free for grabs?

[yuchanns]

@arnaldo2792 Feel free to have a try.

[arnaldo2792]

Ok, I started to work on it :+1:

[arnaldo2792]

I'm still going through this, it took me some time to configure a reliable setup and understanding what docker/containerd-cri do when SecurityOpt is set to label:<>. I have a better understanding now, I should have something soon-ish to be reviewed, since I'm mostly working on my free time :+1: