GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → genuinetools → Bane

genuinetools / Bane

Licence: mit
Custom & better AppArmor profile generator for Docker containers.

Programming Languages

go
31211 projects - #10 most used programming language

Labels

dockerlinuxsecurityclicontainers

Projects that are alternatives of or similar to Bane

Reg
Docker registry v2 command line client and repo listing generator with security checks.
Stars: ✭ 1,485 (+64.63%)
Mutual labels:  cli, containers
Knctl
Knative CLI
Stars: ✭ 163 (-81.93%)
Mutual labels:  cli, containers
Dksnap
Docker Snapshots for Development and Test Data
Stars: ✭ 122 (-86.47%)
Mutual labels:  cli, containers
Tent
Podman (https://podman.io/) based development-only dependency manager for Linux
Stars: ✭ 69 (-92.35%)
Mutual labels:  cli, containers
Img
Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
Stars: ✭ 3,512 (+289.36%)
Mutual labels:  cli, containers
Ckube
A cli to simplify working with kubectl for some common workflows
Stars: ✭ 127 (-85.92%)
Mutual labels:  cli, containers
Linuxdeploy Cli
Linux Deploy CLI
Stars: ✭ 127 (-85.92%)
Mutual labels:  cli, containers
Netns
Runc hook (OCI compatible) for setting up default bridge networking for containers.
Stars: ✭ 197 (-78.16%)
Mutual labels:  cli, containers
Dockly
Immersive terminal interface for managing docker containers and services
Stars: ✭ 3,034 (+236.36%)
Mutual labels:  cli, containers
Popper
Container-native task automation engine.
Stars: ✭ 216 (-76.05%)
Mutual labels:  cli, containers
Bpfd
Framework for running BPF programs with rules on Linux as a daemon. Container aware.
Stars: ✭ 396 (-56.1%)
Mutual labels:  cli, containers
Cinf
Command line tool to view namespaces and cgroups, useful for low-level container prodding
Stars: ✭ 389 (-56.87%)
Mutual labels:  cli, containers
Binci
🐳 Containerize your development workflow.
Stars: ✭ 671 (-25.61%)
Mutual labels:  cli, containers
Exiftool
ExifTool meta information reader/writer
Stars: ✭ 832 (-7.76%)
Mutual labels:  cli
Secretscanner
Find secrets and passwords in container images and file systems
Stars: ✭ 895 (-0.78%)
Mutual labels:  containers
Sen
Terminal User Interface for docker engine
Stars: ✭ 835 (-7.43%)
Mutual labels:  containers
Aks Engine
AKS Engine: Units of Kubernetes on Azure!
Stars: ✭ 833 (-7.65%)
Mutual labels:  containers
Lambdalogs
A CLI tool to trace AWS Lambda calls over multiple CloudWatch log groups.
Stars: ✭ 18 (-98%)
Mutual labels:  cli
Mongodb Backup Cli
mongodb-backup cli for Nodejs
Stars: ✭ 17 (-98.12%)
Mutual labels:  cli
Regina
Fetch new releases from http://www.juno.co.uk/.
Stars: ✭ 6 (-99.33%)
Mutual labels:  cli
View All Similar Projects ➔

bane

make-all make-image GoDoc Github All Releases

AppArmor profile generator for docker containers. Basically a better AppArmor profile, than creating one by hand, because who would ever do that.

"Reviewing AppArmor profile pull requests is the bane of my existence"

  • Jess Frazelle

bane

Table of Contents

Installation

Binaries

For installation instructions from binaries please visit the Releases Page.

Via Go

$ go get github.com/genuinetools/bane

Usage

$ bane -h
bane -  Custom AppArmor profile generator for docker containers

Usage: bane <command>

Flags:

  -d            enable debug logging (default: false)
  -profile-dir  directory for saving the profiles (default: /etc/apparmor.d/containers)

Commands:

  version  Show the version information.

Config File

sample.toml is a AppArmor sample config for nginx in a container.

File Globbing

Glob Example Description
/dir/file match a specific file
/dir/* match any files in a directory (including dot files)
/dir/a* match any file in a directory starting with a
/dir/*.png match any file in a directory ending with .png
/dir/[^.]* match any file in a directory except dot files
/dir/ match a directory
/dir/*/ match any directory within /dir/
/dir/a*/ match any directory within /dir/ starting with a
/dir/*a/ match any directory within /dir/ ending with a
/dir/** match any file or directory in or below /dir/
/dir/**/ match any directory in or below /dir/
/dir/**[^/] match any file in or below /dir/
/dir{,1,2}/** match any file or directory in or below /dir/, /dir1/, and /dir2/

Installing a Profile

Now that we have our config file from above let's install it. bane will automatically install the profile in a directory /etc/apparmor.d/containers/ and run apparmor_parser.

$ sudo bane sample.toml
# Profile installed successfully you can now run the profile with
# `docker run --security-opt="apparmor:docker-nginx-sample"`

# now let's run nginx
$ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx

Using custom AppArmor profiles has never been easier!

Now let's try to do malicious activities with the sample profile:

$ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bash
[email protected]:~# ping 8.8.8.8
ping: Lacking privilege for raw socket.

[email protected]:/# top
bash: /usr/bin/top: Permission denied

touch ~/thing
touch: cannot touch 'thing': Permission denied

[email protected]:/# sh
bash: /bin/sh: Permission denied

[email protected]:/# dash
bash: /bin/dash: Permission denied

Sample dmesg output when using LogOnWritePaths:

[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser"
[ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0
[ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0
[ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

What does the generated profile look like?

For the above sample.toml the generated profile is available as docker-nginx-sample.

Integration with Docker

This was originally a proof of concept for what will hopefully become a native security profile in the Docker engine. For more information on this, see docker/docker#17142.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].