Open soharaki opened 3 years ago
Seccomp was implemented in #12, AppArmor was implemented in 3e9a754ea082a5fc8fee8c91b265231348f6e03b .
We also need to support SELinux (--security-opt label
)
@AkihiroSuda mentions that apparmor support has been implemented. Unfortunately, deploying my lxkns discovery service using the existing docker-compose.yaml fails, seemingly the security option from the composer file doesn't get applied?
Admittedly, this might have been composed in infosec theory hell 😁:
version: '2.4'
services:
lxkns:
image: lxkns:latest
read_only: true
build:
context: ../..
dockerfile: deployments/lxkns/Dockerfile
command:
- "/lxkns"
- "--initialcgroup"
- "--docker=unix:///proc/1/root/run/docker.sock"
- "--containerd=/proc/1/root/run/containerd/containerd.sock"
ports:
- "5010:5010"
user: "65534"
security_opt:
# apparmor only accepts a profile name, which must have been loaded
# by the system admin. You might want to use the lxkns-apparmor
# profile to be found in this directory.
- apparmor:unconfined #- apparmor:lxkns
# Please note that Docker's default container seccomp profile is
# adaptive: it allows all those syscalls for which the process has
# matching capabilities. In consequence, this Docker default seccomp
# profile thus does not interfere with lxkns. However, we still want
# to slightly curb the unneeded parts of the powers bestowed upon us
# by especially CRAP_SYS_ADMIN and CAP_SYS_PTRACE...
- seccomp:deployments/lxkns/lxkns-seccomp.json
cap_drop:
- ALL
cap_add:
- SYS_ADMIN # change namespaces
- SYS_CHROOT # change mount namespaces
- SYS_PTRACE # access nsfs namespace information
- DAC_READ_SEARCH # for fully discovering bind-mounted namespaces
- DAC_OVERRIDE # for accessing the containerd API socket
# We need the full PID view for correct scanning.
pid: host
[40708.544657] audit: type=1400 audit(1627283465.367:1019): apparmor="DENIED" operation="ptrace" profile="nerdctl-default" pid=1147581 comm="lxkns" requested_mask="read" denied_mask="read" peer="unconfined"
nerdctl
has put a skeleton into the Seccomp closet).Shouldn't nerdctl compose
unconfine my service?
(oh, and SELinux support for setting the context (elements) would be great either!)
Hi guys, any news about SELinux support?
Related to https://github.com/runfinch/finch/issues/192, I think it would be great if nerdctl
could support SELinux, but also ignore anything settings on macOS where it would not be applicable.
I'm interested in implementing this @AkihiroSuda, is it free for grabs?
@arnaldo2792 Feel free to have a try.
Ok, I started to work on it :+1:
I'm still going through this, it took me some time to configure a reliable setup and understanding what docker/containerd-cri do when SecurityOpt
is set to label:<>
. I have a better understanding now, I should have something soon-ish to be reviewed, since I'm mostly working on my free time :+1:
Add the security options to the
nerdctl run
.[x] Seccomp security profiles for Docker
[x] AppArmor security profiles for Docker