{"id":13416252,"url":"https://github.com/genuinetools/bane","last_synced_at":"2025-05-15T08:04:56.089Z","repository":{"id":57500774,"uuid":"43922256","full_name":"genuinetools/bane","owner":"genuinetools","description":"Custom \u0026 better AppArmor profile generator for Docker containers.","archived":false,"fork":false,"pushed_at":"2020-09-17T20:10:45.000Z","size":3420,"stargazers_count":1198,"open_issues_count":4,"forks_count":88,"subscribers_count":33,"default_branch":"master","last_synced_at":"2025-04-14T13:07:29.116Z","etag":null,"topics":["apparmor","apparmor-profile","cli","containers","docker","linux","opencontainers","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/genuinetools.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-10-08T23:45:49.000Z","updated_at":"2025-04-12T03:20:04.000Z","dependencies_parsed_at":"2022-08-26T07:01:53.644Z","dependency_job_id":null,"html_url":"https://github.com/genuinetools/bane","commit_stats":null,"previous_names":["jessfraz/bane","jfrazelle/bane"],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/genuinetools%2Fbane","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/genuinetools%2Fbane/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/genuinetools%2Fbane/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/genuinetools%2Fbane/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/genuinetools","download_url":"https://codeload.github.com/genuinetools/bane/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254301422,"owners_count":22047901,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apparmor","apparmor-profile","cli","containers","docker","linux","opencontainers","security"],"created_at":"2024-07-30T21:00:56.055Z","updated_at":"2025-05-15T08:04:56.060Z","avatar_url":"https://github.com/genuinetools.png","language":"Go","readme":"# bane\n\n[![make-all](https://github.com/genuinetools/bane/workflows/make%20all/badge.svg)](https://github.com/genuinetools/bane/actions?query=workflow%3A%22make+all%22)\n[![make-image](https://github.com/genuinetools/bane/workflows/make%20image/badge.svg)](https://github.com/genuinetools/bane/actions?query=workflow%3A%22make+image%22)\n[![GoDoc](https://img.shields.io/badge/godoc-reference-5272B4.svg?style=for-the-badge)](https://godoc.org/github.com/genuinetools/bane)\n[![Github All Releases](https://img.shields.io/github/downloads/genuinetools/bane/total.svg?style=for-the-badge)](https://github.com/genuinetools/bane/releases)\n\nAppArmor profile generator for docker containers. Basically a better AppArmor\nprofile, than creating one by hand, because who would ever do that.\n\n\u003e \"Reviewing AppArmor profile pull requests is the _bane_ of my existence\"\n\u003e  - Jess Frazelle\n\n![bane](bane.jpg)\n\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n**Table of Contents**\n\n- [Installation](#installation)\n    - [Binaries](#binaries)\n    - [Via Go](#via-go)\n- [Usage](#usage)\n  - [Config File](#config-file)\n    - [File Globbing](#file-globbing)\n  - [Installing a Profile](#installing-a-profile)\n  - [What does the generated profile look like?](#what-does-the-generated-profile-look-like)\n  - [Integration with Docker](#integration-with-docker)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n## Installation\n\n#### Binaries\n\nFor installation instructions from binaries please visit the [Releases Page](https://github.com/genuinetools/bane/releases).\n\n#### Via Go\n\n```console\n$ go get github.com/genuinetools/bane\n```\n\n## Usage\n\n```console\n$ bane -h\nbane -  Custom AppArmor profile generator for docker containers\n\nUsage: bane \u003ccommand\u003e\n\nFlags:\n\n  -d            enable debug logging (default: false)\n  -profile-dir  directory for saving the profiles (default: /etc/apparmor.d/containers)\n\nCommands:\n\n  version  Show the version information.\n```\n\n### Config File\n\n[sample.toml](sample.toml) is a AppArmor sample config for nginx in a container.\n\n#### File Globbing\n\n| Glob Example  | Description |\n| ------------- | ------------- |\n| `/dir/file` |   match a specific file |\n| `/dir/*`        | match any files in a directory (including dot files) |\n| `/dir/a*`      | match any file in a directory starting with a |\n| `/dir/*.png`    | match any file in a directory ending with .png |\n| `/dir/[^.]*`   | match any file in a directory except dot files |\n| `/dir/`        | match a directory |\n| `/dir/*/`       | match any directory within /dir/ |\n| `/dir/a*/`     | match any directory within /dir/ starting with a |\n| `/dir/*a/`     | match any directory within /dir/ ending with a |\n| `/dir/**`       | match any file or directory in or below /dir/ |\n| `/dir/**/`     | match any directory in or below /dir/ |\n| `/dir/**[^/]`   | match any file in or below /dir/ |\n| `/dir{,1,2}/**` | match any file or directory in or below /dir/, /dir1/, and /dir2/ |\n\n### Installing a Profile\n\nNow that we have our config file from above let's install it. `bane` will\nautomatically install the profile in a directory\n`/etc/apparmor.d/containers/` and run `apparmor_parser`.\n\n```console\n$ sudo bane sample.toml\n# Profile installed successfully you can now run the profile with\n# `docker run --security-opt=\"apparmor:docker-nginx-sample\"`\n\n# now let's run nginx\n$ docker run -d --security-opt=\"apparmor:docker-nginx-sample\" -p 80:80 nginx\n```\n\nUsing custom AppArmor profiles has never been easier!\n\n**Now let's try to do malicious activities with the sample profile:**\n\n```console\n$ docker run --security-opt=\"apparmor:docker-nginx-sample\" -p 80:80 --rm -it nginx bash\nroot@6da5a2a930b9:~# ping 8.8.8.8\nping: Lacking privilege for raw socket.\n\nroot@6da5a2a930b9:/# top\nbash: /usr/bin/top: Permission denied\n\nroot@6da5a2a930b9:~# touch ~/thing\ntouch: cannot touch 'thing': Permission denied\n\nroot@6da5a2a930b9:/# sh\nbash: /bin/sh: Permission denied\n\nroot@6da5a2a930b9:/# dash\nbash: /bin/dash: Permission denied\n```\n\n\nSample `dmesg` output when using `LogOnWritePaths`:\n\n```\n[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor=\"STATUS\" operation=\"profile_replace\" profile=\"unconfined\" name=\"docker-nginx\" pid=3945 comm=\"apparmor_parser\"\n[ 1966.620327] type=1400 audit(1444369317.570:39): apparmor=\"AUDIT\" operation=\"open\" profile=\"docker-nginx\" name=\"/1\" pid=3985 comm=\"nginx\" requested_mask=\"c\" fsuid=0 ouid=0\n[ 1966.624381] type=1400 audit(1444369317.574:40): apparmor=\"AUDIT\" operation=\"mkdir\" profile=\"docker-nginx\" name=\"/var/cache/nginx/client_temp/\" pid=3985 comm=\"nginx\" requested_mask=\"c\" fsuid=0 ouid=0\n[ 1966.624446] type=1400 audit(1444369317.574:41): apparmor=\"AUDIT\" operation=\"chown\" profile=\"docker-nginx\" name=\"/var/cache/nginx/client_temp/\" pid=3985 comm=\"nginx\" requested_mask=\"w\" fsuid=0 ouid=0\n[ 1966.624463] type=1400 audit(1444369317.574:42): apparmor=\"AUDIT\" operation=\"mkdir\" profile=\"docker-nginx\" name=\"/var/cache/nginx/proxy_temp/\" pid=3985 comm=\"nginx\" requested_mask=\"c\" fsuid=0 ouid=0\n[ 1966.624494] type=1400 audit(1444369317.574:43): apparmor=\"AUDIT\" operation=\"chown\" profile=\"docker-nginx\" name=\"/var/cache/nginx/proxy_temp/\" pid=3985 comm=\"nginx\" requested_mask=\"w\" fsuid=0 ouid=0\n[ 1966.624507] type=1400 audit(1444369317.574:44): apparmor=\"AUDIT\" operation=\"mkdir\" profile=\"docker-nginx\" name=\"/var/cache/nginx/fastcgi_temp/\" pid=3985 comm=\"nginx\" requested_mask=\"c\" fsuid=0 ouid=0\n[ 1966.624534] type=1400 audit(1444369317.574:45): apparmor=\"AUDIT\" operation=\"chown\" profile=\"docker-nginx\" name=\"/var/cache/nginx/fastcgi_temp/\" pid=3985 comm=\"nginx\" requested_mask=\"w\" fsuid=0 ouid=0\n[ 1966.624546] type=1400 audit(1444369317.574:46): apparmor=\"AUDIT\" operation=\"mkdir\" profile=\"docker-nginx\" name=\"/var/cache/nginx/uwsgi_temp/\" pid=3985 comm=\"nginx\" requested_mask=\"c\" fsuid=0 ouid=0\n[ 1966.624582] type=1400 audit(1444369317.574:47): apparmor=\"AUDIT\" operation=\"chown\" profile=\"docker-nginx\" name=\"/var/cache/nginx/uwsgi_temp/\" pid=3985 comm=\"nginx\" requested_mask=\"w\" fsuid=0 ouid=0\n```\n\n\n### What does the generated profile look like?\n\nFor the above `sample.toml` the generated profile is available as [docker-nginx-sample](docker-nginx-sample).\n\n### Integration with Docker\n\nThis was originally a proof of concept for what will hopefully become a native\nsecurity profile in the Docker engine. For more information on this, see\n[docker/docker#17142](https://github.com/docker/docker/issues/17142).\n","funding_links":[],"categories":["Container Operations","DevSecOps","Go","Dependency intelligence","Security","工具","Tools","security","cli"],"sub_categories":["Security","Service meshes","其他工具","Others"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgenuinetools%2Fbane","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgenuinetools%2Fbane","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgenuinetools%2Fbane/lists"}