genuinetools/bane genuinetools/bane

  • Stars
    star
    1,149
  • Rank 40,592 (Top 0.8 %)
  • Language
    Go
  • License
    MIT License
  • Created about 9 years ago
  • Updated about 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
genuinetools/bane
github

genuinetools

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Custom & better AppArmor profile generator for Docker containers.

bane

make-all make-image GoDoc Github All Releases

AppArmor profile generator for docker containers. Basically a better AppArmor profile, than creating one by hand, because who would ever do that.

"Reviewing AppArmor profile pull requests is the bane of my existence"

  • Jess Frazelle

bane

Table of Contents

Installation

Binaries

For installation instructions from binaries please visit the Releases Page.

Via Go

$ go get github.com/genuinetools/bane

Usage

$ bane -h
bane -  Custom AppArmor profile generator for docker containers

Usage: bane <command>

Flags:

  -d            enable debug logging (default: false)
  -profile-dir  directory for saving the profiles (default: /etc/apparmor.d/containers)

Commands:

  version  Show the version information.

Config File

sample.toml is a AppArmor sample config for nginx in a container.

File Globbing

Glob Example Description
/dir/file match a specific file
/dir/* match any files in a directory (including dot files)
/dir/a* match any file in a directory starting with a
/dir/*.png match any file in a directory ending with .png
/dir/[^.]* match any file in a directory except dot files
/dir/ match a directory
/dir/*/ match any directory within /dir/
/dir/a*/ match any directory within /dir/ starting with a
/dir/*a/ match any directory within /dir/ ending with a
/dir/** match any file or directory in or below /dir/
/dir/**/ match any directory in or below /dir/
/dir/**[^/] match any file in or below /dir/
/dir{,1,2}/** match any file or directory in or below /dir/, /dir1/, and /dir2/

Installing a Profile

Now that we have our config file from above let's install it. bane will automatically install the profile in a directory /etc/apparmor.d/containers/ and run apparmor_parser.

$ sudo bane sample.toml
# Profile installed successfully you can now run the profile with
# `docker run --security-opt="apparmor:docker-nginx-sample"`

# now let's run nginx
$ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx

Using custom AppArmor profiles has never been easier!

Now let's try to do malicious activities with the sample profile:

$ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bash
root@6da5a2a930b9:~# ping 8.8.8.8
ping: Lacking privilege for raw socket.

root@6da5a2a930b9:/# top
bash: /usr/bin/top: Permission denied

root@6da5a2a930b9:~# touch ~/thing
touch: cannot touch 'thing': Permission denied

root@6da5a2a930b9:/# sh
bash: /bin/sh: Permission denied

root@6da5a2a930b9:/# dash
bash: /bin/dash: Permission denied

Sample dmesg output when using LogOnWritePaths:

[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser"
[ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

What does the generated profile look like?

For the above sample.toml the generated profile is available as docker-nginx-sample.

Integration with Docker

This was originally a proof of concept for what will hopefully become a native security profile in the Docker engine. For more information on this, see docker/docker#17142.

More Repositories

1

img

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
Go
3,885
star
2

binctr

Fully static, unprivileged, self-contained, containers as executable binaries.
Go
2,512
star
3

reg

Docker registry v2 command line client and repo listing generator with security checks.
Go
1,648
star
4

amicontained

Container introspection tool. Find out what container runtime is being used as well as features available.
Go
979
star
5

weather

Weather via the command line.
Go
959
star
6

contained.af

A stupid game for learning about containers, capabilities, and syscalls.
JavaScript
893
star
7

bpfd

Framework for running BPF programs with rules on Linux as a daemon. Container aware.
Go
471
star
8

pepper

A tool for performing actions on GitHub repos or a single repo.
Go
362
star
9

audit

For auditing what collaborators, hooks, and deploy keys you have added on all your GitHub repositories.
Go
336
star
10

ghb0t

A GitHub Bot to automatically delete your fork's branches after a pull request has been merged.
Makefile
286
star
11

sshb0t

A bot for keeping your ssh authorized_keys up to date with user's GitHub keys, **only** use if you enable 2FA & keep your keys updates.
Makefile
280
star
12

riddler

A tool to convert docker inspect to the opencontainers runc spec.
Go
253
star
13

netns

Runc hook (OCI compatible) for setting up default bridge networking for containers.
Go
223
star
14

certok

Command line tool to check the validity and expiration dates of SSL certificates.
Go
159
star
15

apk-file

Search apk package contents via the command line.
Makefile
107
star
16

udict

A command line urban dictionary.
Makefile
106
star
17

bpfps

A tool to list and diagnose bpf programs. (Who watches the watchers..? :)
Makefile
94
star
18

1up

A custom Gmail spam filter bot.
Go
78
star
19

releases

Server to show latest GitHub Releases for a set of repositories.
Go
64
star
20

upmail

Email notification hook for https://github.com/sourcegraph/checkup.
Makefile
61
star
21

magneto

Pipe runc (OCI compatible) events to a stats TUI (Text User Interface).
Go
46
star
22

pkg

A home for various Go packages to be imported by other projects.
Go
36
star
23

www

This is the public website for genuine tools.
HTML
21
star