https://github.com/genuinetools/bane

Custom & better AppArmor profile generator for Docker containers.
https://github.com/genuinetools/bane

apparmor apparmor-profile cli containers docker linux opencontainers security

Last synced: 18 days ago
JSON representation

Custom & better AppArmor profile generator for Docker containers.

• Host: GitHub
• URL: https://github.com/genuinetools/bane
• Owner: genuinetools
• License: mit
• Created: 2015-10-08T23:45:49.000Z (over 8 years ago)
• Default Branch: master
• Last Pushed: 2020-09-17T20:10:45.000Z (over 3 years ago)
• Last Synced: 2024-05-04T03:07:21.527Z (19 days ago)
• Topics: apparmor, apparmor-profile, cli, containers, docker, linux, opencontainers, security
• Language: Go
• Homepage:
• Size: 3.26 MB
• Stars: 1,147
• Watchers: 34
• Forks: 84
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Lists

• awesome-linux-containers - bane
• awesome-eks - Bane - Custom & better AppArmor profile generator for Docker containers. (Security)
• awesome-docker-security - bane - Custom & better AppArmor profile generator for Docker containers. (Tools / Others)
• awesome-docker - bane - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools] (Container Operations / Security)
• awesome-cybersecurity-blueteam - Bane - Custom and better AppArmor profile generator for Docker containers. (DevSecOps / Service meshes)
• awesome-repositories - genuinetools/bane - Custom & better AppArmor profile generator for Docker containers. (Go)
• awesome-cybersecurity-blueteam - Bane - Custom and better AppArmor profile generator for Docker containers. (DevSecOps / Service meshes)
• awesome-software-supply-chain-security - genuinetools/bane: Custom & better AppArmor profile generator for Docker containers.
• awesome-docker - bane - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools] (Container Operations / Security)
• awesome-docker-docs - bane - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools] (Container Operations / Security)
• awesome-list-docker - bane
• awesome-blueteam - Bane - Custom and better AppArmor profile generator for Docker containers. (DevSecOps / Service meshes)
• awesome-stars - bane
• awesome-docker - bane - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools] (Container Operations / Security)
• awesome-stars - genuinetools/bane - Custom & better AppArmor profile generator for Docker containers. (Go)
• awesome-docker-clone - bane - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools] (Container Operations / Security)
• awesome-docker - bane - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools] (Container Operations / Security)
• awesome-docker - bane - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools] (Container Operations / Security)
• awesome - bane - Custom & better AppArmor profile generator for Docker containers. (Go)
• awesome-docker - bane - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools] (Container Operations / Security)
• awesome-stars - genuinetools/bane - Custom & better AppArmor profile generator for Docker containers. (security)

README

        
# bane

[![make-all](https://github.com/genuinetools/bane/workflows/make%20all/badge.svg)](https://github.com/genuinetools/bane/actions?query=workflow%3A%22make+all%22)

[![make-image](https://github.com/genuinetools/bane/workflows/make%20image/badge.svg)](https://github.com/genuinetools/bane/actions?query=workflow%3A%22make+image%22)

[![GoDoc](https://img.shields.io/badge/godoc-reference-5272B4.svg?style=for-the-badge)](https://godoc.org/github.com/genuinetools/bane)

[![Github All Releases](https://img.shields.io/github/downloads/genuinetools/bane/total.svg?style=for-the-badge)](https://github.com/genuinetools/bane/releases)

AppArmor profile generator for docker containers. Basically a better AppArmor

profile, than creating one by hand, because who would ever do that.

> "Reviewing AppArmor profile pull requests is the _bane_ of my existence"

>  - Jess Frazelle

![bane](bane.jpg)

**Table of Contents**

- [Installation](#installation)

    - [Binaries](#binaries)

    - [Via Go](#via-go)

- [Usage](#usage)

  - [Config File](#config-file)

    - [File Globbing](#file-globbing)

  - [Installing a Profile](#installing-a-profile)

  - [What does the generated profile look like?](#what-does-the-generated-profile-look-like)

  - [Integration with Docker](#integration-with-docker)

## Installation

#### Binaries

For installation instructions from binaries please visit the [Releases Page](https://github.com/genuinetools/bane/releases).

#### Via Go

```console

$ go get github.com/genuinetools/bane

```

## Usage

```console

$ bane -h

bane -  Custom AppArmor profile generator for docker containers

Usage: bane 

Flags:

  -d            enable debug logging (default: false)

  -profile-dir  directory for saving the profiles (default: /etc/apparmor.d/containers)

Commands:

  version  Show the version information.

```

### Config File

[sample.toml](sample.toml) is a AppArmor sample config for nginx in a container.

#### File Globbing

| Glob Example  | Description |

| ------------- | ------------- |

| `/dir/file` |   match a specific file |

| `/dir/*`        | match any files in a directory (including dot files) |

| `/dir/a*`      | match any file in a directory starting with a |

| `/dir/*.png`    | match any file in a directory ending with .png |

| `/dir/[^.]*`   | match any file in a directory except dot files |

| `/dir/`        | match a directory |

| `/dir/*/`       | match any directory within /dir/ |

| `/dir/a*/`     | match any directory within /dir/ starting with a |

| `/dir/*a/`     | match any directory within /dir/ ending with a |

| `/dir/**`       | match any file or directory in or below /dir/ |

| `/dir/**/`     | match any directory in or below /dir/ |

| `/dir/**[^/]`   | match any file in or below /dir/ |

| `/dir{,1,2}/**` | match any file or directory in or below /dir/, /dir1/, and /dir2/ |

### Installing a Profile

Now that we have our config file from above let's install it. `bane` will

automatically install the profile in a directory

`/etc/apparmor.d/containers/` and run `apparmor_parser`.

```console

$ sudo bane sample.toml

# Profile installed successfully you can now run the profile with

# `docker run --security-opt="apparmor:docker-nginx-sample"`

# now let's run nginx

$ docker run -d --security-opt="apparmor:docker-nginx-sample" -p 80:80 nginx

```

Using custom AppArmor profiles has never been easier!

**Now let's try to do malicious activities with the sample profile:**

```console

$ docker run --security-opt="apparmor:docker-nginx-sample" -p 80:80 --rm -it nginx bash

root@6da5a2a930b9:~# ping 8.8.8.8

ping: Lacking privilege for raw socket.

root@6da5a2a930b9:/# top

bash: /usr/bin/top: Permission denied

root@6da5a2a930b9:~# touch ~/thing

touch: cannot touch 'thing': Permission denied

root@6da5a2a930b9:/# sh

bash: /bin/sh: Permission denied

root@6da5a2a930b9:/# dash

bash: /bin/dash: Permission denied

```

Sample `dmesg` output when using `LogOnWritePaths`:

```

[ 1964.142128] type=1400 audit(1444369315.090:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="docker-nginx" pid=3945 comm="apparmor_parser"

[ 1966.620327] type=1400 audit(1444369317.570:39): apparmor="AUDIT" operation="open" profile="docker-nginx" name="/1" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0

[ 1966.624381] type=1400 audit(1444369317.574:40): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0

[ 1966.624446] type=1400 audit(1444369317.574:41): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/client_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

[ 1966.624463] type=1400 audit(1444369317.574:42): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0

[ 1966.624494] type=1400 audit(1444369317.574:43): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/proxy_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

[ 1966.624507] type=1400 audit(1444369317.574:44): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0

[ 1966.624534] type=1400 audit(1444369317.574:45): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/fastcgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

[ 1966.624546] type=1400 audit(1444369317.574:46): apparmor="AUDIT" operation="mkdir" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="c" fsuid=0 ouid=0

[ 1966.624582] type=1400 audit(1444369317.574:47): apparmor="AUDIT" operation="chown" profile="docker-nginx" name="/var/cache/nginx/uwsgi_temp/" pid=3985 comm="nginx" requested_mask="w" fsuid=0 ouid=0

```

### What does the generated profile look like?

For the above `sample.toml` the generated profile is available as [docker-nginx-sample](docker-nginx-sample).

### Integration with Docker

This was originally a proof of concept for what will hopefully become a native

security profile in the Docker engine. For more information on this, see

[docker/docker#17142](https://github.com/docker/docker/issues/17142).