AppArmor and SELinux in Docker Security

AppArmor and SELinux are two popular Linux security modules that play a crucial role in Docker security. They provide an additional layer of protection and isolation for Docker containers, ensuring that they operate in a secure environment. In this guide, we will explore the role of AppArmor and SELinux in Docker security, along with sample code and explanations.

What is AppArmor?

AppArmor is a Linux security module that provides mandatory access control (MAC) for applications. It restricts the actions that an application can perform, based on a set of predefined rules. AppArmor profiles define the permissions and restrictions for an application, ensuring that it operates within a secure environment.

What is SELinux?

SELinux (Security-Enhanced Linux) is a Linux security module that provides MAC for applications. It labels each process and file with a security context, which defines the permissions and restrictions for that process or file. SELinux policies define the rules for how processes and files interact with each other, ensuring that they operate in a secure environment.

Role of AppArmor in Docker Security

AppArmor plays a crucial role in Docker security by providing an additional layer of protection and isolation for Docker containers. Docker automatically generates and loads a default AppArmor profile for containers, which restricts the actions that a container can perform. You can also create custom AppArmor profiles for your containers, which provide more fine-grained control over the permissions and restrictions.

Example: Creating a Custom AppArmor Profile

#include 

profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
  #include 

  network inet tcp,
  network inet udp,
  network inet icmp,

  deny network raw,

  deny network packet,

  file,
  umount,

  deny /bin/** wl,
  deny /boot/** wl,
  deny /dev/** wl,
  deny /etc/** wl,
  deny /home/** wl,
  deny /lib/** wl,
  deny /lib64/** wl,
  deny /media/** wl,
  deny /mnt/** wl,
  deny /opt/** wl,
  deny /proc/** wl,
  deny /root/** wl,
  deny /sbin/** wl,
  deny /srv/** wl,
  deny /tmp/** wl,
  deny /sys/** wl,
  deny /usr/** wl,

  audit /** w,

  /var/run/nginx.pid w,

  /usr/sbin/nginx ix,

  deny /bin/dash mrwklx,
  deny /bin/sh mrwklx,
  deny /usr/bin/top mrwklx,

  capability chown,
  capability dac_override,
  capability setuid,
  capability setgid,
  capability net_bind_service,

  deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
  # deny write to files not in /proc//\*\* or /proc/sys/\*\*
  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]\*}/\*\* w,
  deny @{PROC}/sys/\[^k]\*\* w, # deny /proc/sys except /proc/sys/k\* (effectively /proc/sys/kernel)
  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]\*\*} w, # deny everything except shm\* in /proc/sys/kernel/
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/kcore rwklx,

  deny mount,

  deny /sys/\[^f]\*/\*\* wklx,
  deny /sys/f\[^s]\*/\*\* wklx,
  deny /sys/fs/\[^c]\*/\*\* wklx,
  deny /sys/fs/c\[^g]\*/\*\* wklx,
  deny /sys/fs/cg\[^r]\*/\*\* wklx,
  deny /sys/firmware/\*\* rwklx,
  deny /sys/kernel/security/\*\* rwklx,
}

Role of SELinux in Docker Security

SELinux plays a crucial role in Docker security by providing an additional layer of protection and isolation for Docker containers. SELinux labels each process and file with a security context, which defines the permissions and restrictions for that process or file. Docker uses SELinux to label containers and their contents, ensuring that they operate in a secure environment.

Example: Enabling SELinux for Docker Containers

sudo setenforce 1
sudo semanage permissive -a docker_t

Conclusion

AppArmor and SELinux play a crucial role in Docker security by providing an additional layer of protection and isolation for Docker containers. By using AppArmor and SELinux, you can ensure that your containers operate in a secure environment, with fine-grained control over the permissions and restrictions.