Using RAppArmor inside a Docker container

[skranz]

Hi Jeroen,

I use RAppArmor and its eval.secure function in a shiny app in which users can eval arbirtry R code. Now I would like to put the shiny app inside a Docker container, but I did not manage to make AppArmor and RAppArmor run inside the container. Do you perhaps have a hint how to make it work?

The Docker container extends rocker/rstudio, which allows to access rstudio-server inside the container, which is nice for testing purposes. The whole container is based on Debian. I run all commands inside the container (using RStudio and its shell). My user has sudo rights.

The following commands from the RAppArmor README work without problems

sudo apt-get install -y libapparmor-dev apparmor-utils
install.packages("RAppArmor")
#Install the profiles
cd /usr/local/lib/R/site-library/RAppArmor/
sudo cp -Rf profiles/debian/* /etc/apparmor.d/

But then I get errors. Here are the commands I have run from the R console in RStudio:

> system("sudo service apparmor restart")
Reloading AppArmor profiles:Mounting securityfs on /sys/kernel/security...
mount: permission denied
failed.
 failed!
> system("aa-status")
apparmor module is loaded.
apparmor filesystem is not mounted.

So apparmor seems loaded but there is some mount problem

> library(RAppArmor)
Loading required package: tools
AppArmor LSM is enabled.
Current profile: docker-default (enforce mode)

So somehow there is a docker-default profile loaded.

> RAppArmor::aa_change_profile("testprofile")
Switching profiles...
Error in doTryCatch(return(expr), name, parentenv, handler) : 
  The specified profile or hat does not exist
In addition: Warning message:
In stop(errmsg, call. = FALSE) : additional arguments ignored in stop()

This testprofile exists in etc/apparmor.d/rapparmor.d inside the container, but apparmor seems not aware of it because sudo service apparmor restart failed.

I tried some other commands to load the profiles, but they did not seem to work either...

> system("sudo invoke-rc.d apparmor reload")
invoke-rc.d: policy-rc.d denied execution of reload.
> system("sudo apparmor_parser -r /etc/apparmor.d/rapparmor.d/testprofile")
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

[skranz]

Update: I searched a bit more in the web and found this related question:

http://stackoverflow.com/questions/25533666/cannot-reload-or-start-apparmor-in-docker

I managed to make RAppArmor work inside my container by running the container with the flag --privileged. I then called inside the container the commands (could probably alternatively be put in the dockerfile)

sudo apt-get install -y libapparmor-dev apparmor-utils
install.packages("RAppArmor")
#Install the profiles
cd /usr/local/lib/R/site-library/RAppArmor/
sudo cp -Rf profiles/debian/* /etc/apparmor.d/

and then restarting apparmor with the command:

sudo /etc/init.d/apparmor restart

(The command sudo service apparmor restart did not work as well). Of course, having a privileged container seems less nice from a security perspective since it seems to have root access to the host. Yet, I am not sure what can be done about it, except for taking care that the apparmor profiles prevent damage.

Given the stackoverflow discussion, I am also not sure what exactly the implications are for the host system to run apparmor in the container and loading additional profiles. I hope it is not too bad and I will try to do some more testing.