Optionally disable AppArmor on docker daemon via config flag

[Levi B]

Hey folks, I've got a small feature proposal I'd like to discuss. Currently, docker daemon always loads the default AppArmor profile when AppArmor is enabled on the host.

I need a config flag that will allow me to disable this behavior, similar to the existing --selinux-enabled flag.

My use case is that I'm already running a custom AppArmor profile at the host level across multiple docker pids, which prevents the docker AppArmor profile from loading. This prevents any containers from starting with a "permission denied" error.

After digging into the code base yesterday, it appears that this change would consist of the following:

1. Add config setting similar to the EnableSelinuxSupport flag (https://github.com/docker/docker/blob/557c7cb888ad8e2f1f378c9cf34e5fba14551904/daemon/config_unix.go#L62)
2. Create a new method to check if AppArmor is enabled that accounts for both the new config flag, and the existing IsEnabled() method (https://github.com/docker/docker/blob/557c7cb888ad8e2f1f378c9cf34e5fba14551904/vendor/src/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go#L16-L24)
3. Replace calls in the code to IsEnabled() with calls to the new method

Thoughts/concerns?

[Jessie Frazelle]

We do not provide a flag because if you can turn it off you are doing yourself a disservice, what are you gaining by managing your own apparmor profiles and not passing them with --security-opt to the containers yourself. Seems odd you would manage it yourself and risk that child processes not fall under the same profile in say a docker exec.

--
You received this message because you are subscribed to the Google Groups "docker-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Levi B]

Unfortunately --security-opt is not an option in our setup. We are providing docker as a service, meaning that each user has a docker daemon nested inside an LXC container with our custom AppArmor profile applied. This layer of policy enforcement needs to be in effect regardless of the settings a user chooses for a container.

Can you provide some background/context on the --selinux-enabled flag? Is there a reason you would want to include that but not a --apparmor-enabled flag?

To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+unsubscribe@googlegroups.com.

[Jessie Frazelle]

Selinux is not running by default on most setups, for docker we wanted
apparmor to be on by default so it is secure by default. If you have
to turn security off by default, no one will turn it back on ;)

Why are you using LXC and not the userns support in docker itself
(this is assuming you are only using LXC for userns)

>>> email to docker-dev+...@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>

> --
> You received this message because you are subscribed to the Google Groups
> "docker-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to docker-dev+...@googlegroups.com.

[Jessie Frazelle]

The problem I have with this is no one has _needed_ to turn off
apparmor for all containers since we added the default profile over a
year ago, so adding the feature now,, would only allow people to make
themselves susceptible to harm.

[Levi B]

Oh yeah, understand that concern completely. :) My proposal would be to leave AppArmor on by default and simply add the option to disable it if you know what you're doing. I'd include appropriately stern warnings in the docs as to the security implications.

We're using LXC because we're provisioning the user environments using OpenStack, so relying on docker alone is a nonstarter for us.

[Levi B]

Bumping this thread. Are you opposed to including an optional (disabled by default) flag to turn off AppArmor?

[Khaled AbuShqear]

It's been 4 years since this thread finished and still there is no option to turn off bad apparmor, I spent two days trying to find a way to disable apparmor for docker in particular and I'm very frustrated not finding such option just like selinux-enabled!

I'd like to disable apparmor permanently but unfortunately it's required by other important tools so I simply can't

I want to make my machine susceptible to harm, hackers are welcome to mess with my machine that's okay with me, you should give people the options and they take the risk on their arms!

I know there is a security option to change the profile, but putting an additional option in all command to make them work normally? doesn't make sense! 

>>>> email to docke...@googlegroups.com.

>>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "docker-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to docke...@googlegroups.com.