Automatic AppArmor management for Docker containers
To use docker-sec simply use docker commands by appending the suffix -sec. For example to start a new container run the following command:
docker-sec run --name safe-nginx -p 80:80 nginxTo use the profile training feature of docker-sec user can do the following:
docker-sec train-start safe-nginx
#browse nginx pages...
docker-sec train-stop safe-nginxAt this point the containers runs with an Apparmor profile generated based on the permissions required during the training period. To get more information about the container and the profiles associated run:
docker-sec run safe-nginxTo install docker-sec, first of all AppArmor must be installed and enabled. Also, auditd must be installed in system. For Debian based systems run:
sudo apt-get install auditd audispd-pluginsAs a next step, clone docker-sec from github and move contents of folder profiles to /etc/apparmor.d. Once done, add usr.bin.docker-runc in kernel in enforce mode using the following command:
sudo aa-enforce /etc/apparmor.d/usr.bin.docker-runcFinally docker-sec script should be added to PATH environment variable.
Docker-sec is ready to protect your containers!
Please note that dokcer-sec has been tested with the following versions (on amd64):
- Ubuntu: 16.04.02 LTS using kernel 4.4 (4.4.0-66-generic)
- Docker: 1.12.6 (Client & Server), API Version: 1.24, Build from commit 78d1802 (dpkg package: docker 1.5-1 -amd64)
- Runtime: runc 1.0.0-rc2-dev
- Storage driver: aufs
- Apparmor: 2.10.95
- auditd: 1:2.4.5-1ubuntu2
Apache License v2.0 (see LICENSE file for more information)