apparmor profile

Issue

No network connectivity from container. Journal shows:

audit: type=1400 audit(1634036792.582:254): apparmor="DENIED" operation="create" profile="docker-default" pid=32133 comm="ping" family="inet" sock_type="dgram" protocol=17 requested_mask="create" denied_mask="create"

Reason: default docker-default app armor profile is applied. File doesn't exists in /etc/apparmor.d/ so it cannot be disabled. To workaround this issue, needs to create file:

/etc/apparmor.d/docker-default

#include <tunables/global>
 
    profile docker-default flags=(attach_disconnected, mediate_deleted) {
 
      #include <abstractions/base>
 
      ptrace peer=@{profile_name},
 
      network,
      capability,
      file,
      umount,
 
      deny @{PROC}/* w,  # deny write for all files directly in /proc (not in a subdir)
      # deny write to files not in /proc/<number>/** or /proc/sys/**
      deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
      deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
      deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
      deny @{PROC}/sysrq-trigger rwklx,
      deny @{PROC}/kcore rwklx,
      deny @{PROC}/mem rwklx,
      deny @{PROC}/kmem rwklx,
 
      deny mount,
 
      deny /sys/[^f]*/** wklx,
      deny /sys/f[^s]*/** wklx,
      deny /sys/fs/[^c]*/** wklx,
      deny /sys/fs/c[^g]*/** wklx,
      deny /sys/fs/cg[^r]*/** wklx,
      deny /sys/firmware/** rwklx,
      deny /sys/kernel/security/** rwklx,
    }

and then switch profile to complain mode or disable it (aa-disable docker-default)

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

apparmor profile

Issue