GithubHelp home page GithubHelp logo

genuinetools / bane Goto Github PK

View Code? Open in Web Editor NEW
1.2K 34.0 85.0 3.34 MB

Custom & better AppArmor profile generator for Docker containers.

License: MIT License

Go 47.93% Makefile 47.60% Dockerfile 4.47%
docker apparmor-profile apparmor containers linux cli security opencontainers

bane's Introduction

bane

make-all make-image GoDoc Github All Releases

AppArmor profile generator for docker containers. Basically a better AppArmor profile, than creating one by hand, because who would ever do that.

"Reviewing AppArmor profile pull requests is the bane of my existence"

  • Jess Frazelle

bane

Table of Contents

Installation

Binaries

For installation instructions from binaries please visit the Releases Page.

Via Go

$ go get github.com/genuinetools/bane

Usage

$ bane -h
bane -  Custom AppArmor profile generator for docker containers

Usage: bane <command>

Flags:

  -d            enable debug logging (default: false)
  -profile-dir  directory for saving the profiles (default: /etc/apparmor.d/containers)

Commands:

  version  Show the version information.

Config File

sample.toml is a AppArmor sample config for nginx in a container.

File Globbing

Glob Example Description
/dir/file match a specific file
/dir/* match any files in a directory (including dot files)
/dir/a* match any file in a directory starting with a
/dir/*.png match any file in a directory ending with .png
/dir/[^.]* match any file in a directory except dot files
/dir/ match a directory
/dir/*/ match any directory within /dir/
/dir/a*/ match any directory within /dir/ starting with a
/dir/*a/ match any directory within /dir/ ending with a
/dir/** match any file or directory in or below /dir/
/dir/**/ match any directory in or below /dir/
/dir/**[^/] match any file in or below /dir/
/dir{,1,2}/** match any file or directory in or below /dir/, /dir1/, and /dir2/

Installing a Profile

Now that we have our config file from above let's install it. bane will automatically install the profile in a directory /etc/apparmor.d/containers/ and run apparmor_parser.

$ sudo bane sample.toml
# Profile installed successfully you can now run the profile with
# `docker run --security-opt="apparmor:docker-nginx-sample"`

# now let's run nginx
$ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx

Using custom AppArmor profiles has never been easier!

Now let's try to do malicious activities with the sample profile:

$ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bash
root@6da5a2a930b9:~# ping 8.8.8.8
ping: Lacking privilege for raw socket.

root@6da5a2a930b9:/# top
bash: /usr/bin/top: Permission denied

root@6da5a2a930b9:~# touch ~/thing
touch: cannot touch 'thing': Permission denied

root@6da5a2a930b9:/# sh
bash: /bin/sh: Permission denied

root@6da5a2a930b9:/# dash
bash: /bin/dash: Permission denied

Sample dmesg output when using LogOnWritePaths:

[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser"
[ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

What does the generated profile look like?

For the above sample.toml the generated profile is available as docker-nginx-sample.

Integration with Docker

This was originally a proof of concept for what will hopefully become a native security profile in the Docker engine. For more information on this, see docker/docker#17142.

bane's People

Contributors

azillion avatar deedubs avatar djtm avatar github-actions[bot] avatar jessfraz avatar kennethlimcp avatar konstruktoid avatar michaelcontento avatar toc-me[bot] avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

pombredanne shreyaskarnik andyg5000 earlofslander rgrsoucy cloudxtreme djtm jjediny mobilepenguin n1tr0 dminca scotty-c tahersb docker-training ddm akoserwal cechu66 prelegalwonder grantseltzer mailtruck vyo solyuan markstachowski mdedonno1337 deedubs westonsteimel satish2275 azurecloudmonk ik-kubernetes ik-security ik-infrastructure-testing marshallm totoroha abh15 mark-jordanovic-lewis deepinthought mickey20879 0x6b7966 walterstorey napsolutions triplekill thipuvaasan acumenix nemo-xue freighttrust smartlets asaintsever servicefoundation dipsec yahyaberkdar youindfor kubetraining unodive dushankw cnb0 nam-jaehyun thearqsz kikoashin siyam4u vpavlovlumedic magnologan kkirsche devsecops01 sokratis1988 harman1984 hecg119 lovebingheji scotchndev andybubune timyinshi syllogy alainlompo ankurvaishley jonathanhle reinhart-lab krouser avigyanavi hxlxmjxbbxs letenkov lamhanadraoithe imaginestack

bane's Issues

Add more sample .toml files

Hi @jessfraz ,
i working on a app armor profile for my django webapp. i use compose to start my environment, but i want to restrict each container (db, queue, mailserver, ....) more than the docker-default apparmor profile it does. As the db container (postgres) is a standard container, i think it would be possible to restrict this container more as through the default profile it.
Maybe it would nice for the future to include some more examples for different applications as for example postgres_example.toml?
Or is there a source where i could get some example apparmor configurations for different applications?
Do you have a overview for all paramters to create a .toml file ?

Sorry for creating a issue - but i don't have a twitter acc.
Greetings

whitelisting TCP bindings

Is it possible to only allow certain port bindings? The "network" section is not very configurable in the example.

If there are more examples I am happy to look at those.

bane -v

I just installed bane with go get github.com/jessfraz/bane and bane -v returns "bane version , build".

I'm using ubuntu 16.04

Proposal: Syntax for whitelisting approach

Hi,

First, thanks for this tool.
Now, I'm trying to lock my containers as much as possible. Those are very simple and I would like to do something like:

...

[Filesystem]
ReadOnlyPaths = [
	"/**"
]

LogOnWritePaths = [
	"/**"
]

WritablePaths = [
	"/dev/shm/nginx.pid"
]

AllowExec = [
	"/usr/sbin/nginx"
]

# denied executable files
DenyExec = [
	"/**"
]

...

But this does not work. I know the AppArmor syntax make this approach hard, but to you think it will be possible to implement this approach?
Maybe use those kind of strange rules/regex in AppArmor: /dev/{?,??,[^s][^h][^m]**}?

What do you think?

installation guide and procedure to generate profile

hi jessfraz, I am new to Docker and AppArmor, after a long research I was able to find a profile generator but I am unable to understand the procedure in readme file can you please create a step by step guide and also explain how to generate a profile for a service running in a container using Bane and even how to install bane.

security -opt in docker file?

I am trying to add "security-opt" option in docker build file (Dockerfile), do we have any INSTRUCTION for that?

I am using the stack.Yaml file in docker swarm to deploy the services which doesn't support the security-opt feature in the swarm, if I want to use the AppArmor and seccomp profiles in the swarm, is there any way to use it?

Issue with Bane

I've issues with Bane. Using your own example...

sudo bane sample.toml
Ok

docker run -d --security-opt="apparmor:docker-nginx-sample" --name nginx_run -p 80:80 nginx
dockercontainerls
Ok

docker exec -i -t nginx_run bash
OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "process_linux.go:86: executing setns process caused \"exit status 21\"": unknown

I'm using...

BANE
baneversion

DOCKER
dockerversion

UBUNTU
ubuntuversion

Thanks!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.