[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apparmor-dev
Subject:    Re: [apparmor] Apparmor and Docker - capabilities and network flags not working
From:       werner_kienzler <werner_kienzler () protonmail ! com>
Date:       2022-05-23 6:42:25
Message-ID: e5Y9KWb_GwZTxM2j4gJIZ4LzLUvQgiWxD7ZdkugVhCM20e6GPj7Boh6C1vPtODRwz92VT3YaBiBM8xBc47dZGOlxefYeBoJG_VUHFRO0Tp0= () protonmail ! com
[Download RAW message or body]

Hello,

I just sent you the profile to your private E-Mail. I don't want to clutter=
 the Mailing List here and don't send it to the Mailing List.

Werner




Gesendet mittels einer sicheren E-Mail von ProtonMail.
------- Original Message -------
John Johansen <john.johansen@canonical.com> schrieb am Montag, 23. Mai 2022=
 um 5:11 vorm.:


> On 5/22/22 06:43, werner_kienzler wrote:
>
> > Hallo,
> >
> > > is docker using user namespaces, or network namespaces?
> > > Good question - I didn't enable "user namespace isolation" in the doc=
ker daemon (so I don't set "userns-remap" in "/etc/docker/daemon.json"), so=
 I assume I'm using network namespaces? But I don't have deeper knowledge i=
n this topic - should I run some test here or configure something?
>
>
> I need to do some digging on the docker side before I can say what config=
s you need to look at or tests for you to run.
>
> > > What is your kernel version? And do you have any none-upstream patche=
s on it.
> > > I use an up to date kernel of my dirstro, which is 5.17.9. It is 100%=
 vanilla and has no patches applied to it.
>
>
> Can you dump the loaded profile and send it to me? Basically
>
> sudo cat /sys/kernel/security/apparmor/policy/profiles/docker-nginx.*/raw=
_data > /tmp/raw_profile
>
>
> where * is going to match some unique number and send me the raw_profile =
file. This will let me pick out how the parser is compiling the profile whi=
ch will help with figuring out why network deny is not working.

[prev in list] [next in list] [prev in thread] [next in thread]