Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cannot reload or start AppArmor in Docker

Tags:

docker

ubuntu

apparmor

Here is my Dockerfile:

FROM ubuntu:14.04

RUN apt-get update

RUN apt-get install -y software-properties-common
RUN apt-get install -y python-software-properties

RUN add-apt-repository ppa:chris-lea/node.js
RUN apt-get update
RUN apt-get install -y nodejs

RUN apt-get install -y apparmor-profiles
RUN apt-get install -y apparmor-utils

ADD server.js /folder1/
ADD usr.bin.nodejs /etc/apparmor.d/

RUN service apparmor reload

CMD node /folder1/server.js

Here is usr.bin.nodejs:

#include <tunables/global>

/usr/bin/nodejs {
  #include <abstractions/base>

  /usr/bin/nodejs mr,
  /folder1/server.js r,
  /folder1/repo/** ralkmix,
  network,

}

I run sudo docker build -t scadge/test-one . to build this image. On Step 7 : RUN apt-get install -y apparmor-profiles I get red messages invoke-rc.d: policy-rc.d denied execution of start and invoke-rc.d: policy-rc.d denied execution of reload. Also on Step 11 : RUN service apparmor reload I get the following:

 * Reloading AppArmor profiles
 * Mounting securityfs on /sys/kernel/security...
mount: permission denied
    ...fail!
    ...fail!

..and sure thing apparmor profiles are not working. So how do I make AppArmor work in Docker? I would also like to admit that all this stuff works fine on my desktop Ubuntu 14.04, downloaded from official site.

like image 433
user3812694 Avatar asked Sep 01 '25 23:09

user3812694

1 Answers

First a disclaimer. You don't want to do this!

Because reloading AppArmor profiles in the container reloads them in the host!

This is because the Docker container shares the running Linux kernel with the host.

The container itself is already confined using the /etc/apparmor.d/docker profile, BTW.

Now, if you really sure you want to load the host AppArmor profiles from the container...

The problem is kind of obvious, AppArmor can't mount the securityfs.

You can enable the mount by using the --privileged option.

You can also enable it with the SYS_ADMIN capability:

docker run --cap-add=SYS_ADMIN debian:jessie sh -c 'mount -t securityfs none /mnt && echo Done!'

If you use the SYS_ADMIN option then you'd have to edit the /etc/apparmor.d/docker profile on the host and comment out all the deny lines involving the /sys/kernel branch.

Again, this is most probably not something you want to do.

like image 57
ArtemGr Avatar answered Sep 03 '25 14:09

ArtemGr
Sign in to Comment

Related questions

how to install a latest version of Nodejs on Ubuntu? [duplicate]
from 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin
execute a command by switching to root user in ansible

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!