bane

Custom & better AppArmor profile generator for Docker containers.

Github stars Tracking Chart

bane

make-all
make-image
GoDoc
Github All Releases

AppArmor profile generator for docker containers. Basically a better AppArmor
profile, than creating one by hand, because who would ever do that.

"Reviewing AppArmor profile pull requests is the bane of my existence"

  • Jess Frazelle

bane

Table of Contents

Installation

Binaries

For installation instructions from binaries please visit the Releases Page.

Via Go

$ go get github.com/genuinetools/bane

Usage

$ bane -h
bane -  Custom AppArmor profile generator for docker containers

Usage: bane <command>

Flags:

  -d            enable debug logging (default: false)
  -profile-dir  directory for saving the profiles (default: /etc/apparmor.d/containers)

Commands:

  version  Show the version information.

Config File

sample.toml is a AppArmor sample config for nginx in a container.

File Globbing, Glob Example, Description, -------------, -------------, /dir/file, match a specific file, /dir/*, match any files in a directory (including dot files), /dir/a*, match any file in a directory starting with a, /dir/*.png, match any file in a directory ending with .png, /dir/[^.]*, match any file in a directory except dot files, /dir/, match a directory, /dir/*/, match any directory within /dir/, /dir/a*/, match any directory within /dir/ starting with a, /dir/*a/, match any directory within /dir/ ending with a, /dir/**, match any file or directory in or below /dir/, /dir/**/, match any directory in or below /dir/, /dir/**[^/], match any file in or below /dir/, /dir{,1,2}/**, match any file or directory in or below /dir/, /dir1/, and /dir2/, ### Installing a Profile

Now that we have our config file from above let's install it. bane will
automatically install the profile in a directory
/etc/apparmor.d/containers/ and run apparmor_parser.

$ sudo bane sample.toml
# Profile installed successfully you can now run the profile with
# `docker run --security-opt="apparmor:docker-nginx-sample"`

# now let's run nginx
$ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx

Using custom AppArmor profiles has never been easier!

Now let's try to do malicious activities with the sample profile:

$ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bash
root@6da5a2a930b9:~# ping 8.8.8.8
ping: Lacking privilege for raw socket.

root@6da5a2a930b9:/# top
bash: /usr/bin/top: Permission denied

root@6da5a2a930b9:~# touch ~/thing
touch: cannot touch 'thing': Permission denied

root@6da5a2a930b9:/# sh
bash: /bin/sh: Permission denied

root@6da5a2a930b9:/# dash
bash: /bin/dash: Permission denied

Sample dmesg output when using LogOnWritePaths:

[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser"
[ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

What does the generated profile look like?

For the above sample.toml the generated profile is available as docker-nginx-sample.

Integration with Docker

This was originally a proof of concept for what will hopefully become a native
security profile in the Docker engine. For more information on this, see
docker/docker#17142.

Main metrics

Overview
Name With Ownergenuinetools/bane
Primary LanguageGo
Program languageGo (Language Count: 3)
Platform
License:MIT License
所有者活动
Created At2015-10-08 23:45:49
Pushed At2020-09-17 20:10:45
Last Commit At2020-09-17 13:10:38
Release Count14
Last Release Namev0.4.4 (Posted on 2019-11-19 21:34:53)
First Release Namev0.1.0 (Posted on 2016-10-29 10:26:53)
用户参与
Stargazers Count1.2k
Watchers Count34
Fork Count88
Commits Count89
Has Issues Enabled
Issues Count7
Issue Open Count3
Pull Requests Count12
Pull Requests Open Count1
Pull Requests Close Count1
项目设置
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private