SlideShare a Scribd company logo

Docker app armor_usecase

K
Kazuki Omo

Presentation for openSUSE Asia Summit 2015. Here I explained what kind of security risk Docker is having, and how can we reduce the risk by using AppArmor.

Software
1 of 48
Download to read offline
AppArmor UseCases with Docker system Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
2 Who am I ? - Security Researcher/Engineer (15 years) - SELinux/MAC Evangelist (10 years) - SIEM Engineer (3 years) - Linux Engineer (15 years)
Security Risks of Docker Applications
4 What is Docker ? (you know...) Docker is - for separate each App UserSpace (container). - cgroups/namespaces for containers. - for App/Userspace Portability → Not for Creating Secure environment!!
5 Security Risks of Docker Applications - Which UID is running your docker container? - root can bypass access control (Discretionary Access Control) - What will happen if App has vulnerability? - What will happen if the OS/kernel has vulnerability? - Can you trust Docker-Hub image? Not only desk theory...
6 Security Risks of Docker Applications - Do you really think “Container” is safety sandbox? ex. VENOM(VM) +Local root Exploit CVE-2014-6408, CVE-2014-6409 We have to Protect Docker process !!
What is AppArmor
8 What is AppArmor Do you know AppArmor? - Provide “Mandatory Access Control( 制 控制强 访问 )” - Restrict root(UID=0) permission. - Process under AppArmor is in separate domain. - Same as SELinux, but not so complicated. :-p AppArmordomain domain inherit
9 What is AppArmor /var/www/html httpd When you use Apparmor, - easy to control permission even if “UID=0”. docker_httpd /etc/shadow
10 What is AppArmor /var/www/html /etc/shadow httpd When you use Apparmor, - easy to control permission even if “UID=0”. docker_httpd Tiny shell
Docker /AppArmor Usecase
12 Docker Security Option Option: --security-opt - After Docker 1.3 - Attach to Container; - SELinux Label - AppArmor Domain We can use AppArmor Access Control!!
13 Docker with AppArmor Sample:) docker –security-opt=apparmor:docker_httpd_web1 XXXX /etc/apparmor.d/local/docker_httpd_web1 #include <tunables/global> profile docker_httpd_web1 flags=(attach_disconnected,mediate_deleted,complain) { #include <abstractions/base> deny @{PROC}/sys/fs/** wklx, }
14 Docker with AppArmor docker_httpd_web1 (enforce) 5352 root /usr/bin/python /usr/bin/supervisord docker_httpd_web1 (enforce) 5396 root /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) 5397 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) 5398 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5389 root /usr/bin/python /usr/bin/supervisord docker_httpd_web2 (enforce) 5402 root /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5403 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5404 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND ps axZ
15 Docker with AppArmor /var/www/html /etc/shadow httpd - Each container(web1/web2) separated with AppArmor domain. - If web2 cracked with zero-day, web1 and others are safe. :-) docker_httpd_web1 /var/www/html httpd(?) docker_httpd_web2
16 Docker with AppArmor UseCase. Many Single-App-Containers on 1 host. Web Python DB Web1 Web2 Web3 DB Each container has own AppArmor Domain. Web Domain Python Domain DB Domain Web1 Domain Web2 Domain Web3 Domain DB Domain
17 Docker with AppArmor UseCase. Multi-App-Containers on 1 host. Web Python DB Web Python DB Container_1 Domain Inside container , same AppArmor Domain → Not good idea from security point of view. Container_2 Domain
18 AppArmor Domain Transition Domain can transit to another Domain in Profile rule. #include <tunables/global> profile docker_test_parent flags=(…..) { #include <abstractions/base> /usr/sbin/httpd-prefork px -> docker_httpd_web1, deny @{PROC}/mem rwklx,, docker_test_parent_web1 docker_httpd_web1 Docker parent docker_test_parent_web1 docker_httpd_web1
19 AppArmor Domain Transition docker_test_parent_web1 (enforce) root 2545 /usr/bin/python /usr/bin/supervisord docker_httpd_web1 (enforce) root 2566 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) wwwrun 2583 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) wwwrun 2584 /usr/sbin/httpd-prefork -D FOREGROUND --------------------------------------------------------------------------------------------------------------- docker_test_parent_web2 (enforce) root 2581 /usr/bin/python /usr/bin/supervisord docker_httpd_web2 (enforce) root 2593 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) wwwrun 2594 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) wwwrun 2595 /usr/sbin/httpd-prefork -D FOREGROUND ps axZ
20 Docker with AppArmor UseCase (with Domain transition) Multi-App-Containers on 1 host. Web Python DB Container 1 DomainWeb_Con1 Py_Con1 DB_Con1 Web Python DB Web_Con2 Py_Con2 DB_Con2 More Safe :) Container 2 Domain
Conclusion
22 Conclusion - Docker will be more secure by using “--security-opts”. - Multi-Apps container by Docker will be secured by using AppArmor. :-)
23 Any Questinos?
24 Thank You!!! 謝謝!!
AppArmor UseCases with Docker system Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc. Hello Everyone Thanks for attending this session. In this session, I'll discuss the Docker's security issues, and how we can control the issues with AppAromor.
2 Who am I ? - Security Researcher/Engineer (15 years) - SELinux/MAC Evangelist (10 years) - SIEM Engineer (3 years) - Linux Engineer (15 years) Here is my background for security and OSS area. I spent almost 15 years for Security Researching and Business. Also I have experience to inplement those kind of Security Product to customer(Big customer to small). And I was working as SELinux(you know) Evangelist 4 years.
Security Risks of Docker Applications At first. I wish to discuss how the docker's security Risk.
4 What is Docker ? (you know...) Docker is - for separate each App UserSpace (container). - cgroups/namespaces for containers. - for App/Userspace Portability → Not for Creating Secure environment!! So, I guess almost everyone in here have experience to use Docker with your Linux+Application. The Docker's concept is making container by using cgroups/namespaces/capabilities with current Linux system. Sometime we imagine it's concept is similar as chroot, but Docker is more flexible system. Then current IT engineer, admin or dev or vendor are interested to use Docker with their system. But we should imagine that the Docker's concept is “making container for running several Apps on same OS/system”, and the concept is not coming from “How to create secure container.”
5 Security Risks of Docker Applications - Which UID is running your docker container? - root can bypass access control (Discretionary Access Control) - What will happen if App has vulnerability? - What will happen if the OS/kernel has vulnerability? - Can you trust Docker-Hub image? Not only desk theory... So, these are famous questions when we are discussing about Docker's security scheme issue. Docker's problem is 1. not using it's own UID, and docker process are running by “root”. So if docker is having any critical issue, we might have issue to get root priviledge by cracker. 2. And root can do anything, then the cracker can do anything on your OS. So now we have to think about “how can we protect docker process by cracker”.
6 Security Risks of Docker Applications - Do you really think “Container” is safety sandbox? ex. VENOM(VM) +Local root Exploit CVE-2014-6408, CVE-2014-6409 We have to Protect Docker process !! So, these are famous questions when we are discussing about Docker's security scheme issue. Docker's problem is 1. not using it's own UID, and docker process are running by “root”. So if docker is having any critical issue, we might have issue to get root priviledge by cracker. 2. And root can do anything, then the cracker can do anything on your OS. So now we have to think about “how can we protect docker process by cracker”.
What is AppArmor OK, in next step, I wish to talk a little bit about AppArmor.
8 What is AppArmor Do you know AppArmor? - Provide “Mandatory Access Control( 制 控制强 访问 )” - Restrict root(UID=0) permission. - Process under AppArmor is in separate domain. - Same as SELinux, but not so complicated. :-p AppArmordomain domain inherit So, in here, how many people know about AppArmor? Have you experience to use AppArmor on your system? Thanks. Here I described what is AppArmor. The AppArmor is providing Mandatory Access Control to your Linux. Usually, root can escape OS Access Control, DAC. But in MAC, even if root can not escape Access Control, and control by MAC ACL. This MAC can reduce the root/privileged ID's risk in the process. Most famous MAC system is SELinux, but it's a little bit messy to use in Actual system. AppArmor is more easy to understand, and
9 What is AppArmor /var/www/html httpd When you use Apparmor, - easy to control permission even if “UID=0”. docker_httpd /etc/shadow So here is a graphical example how the AppArmor working. Each process under AppArmor control has domain, called profile. In this example, gray one “docker_httpd” is profile. Each profile, we have to describe which file/dir/object the process can open/write/read, etc… And default permission is “deny”. So If the httpd process with docker is linked with “docker_httpd” profile and the profile is saying it can open/read “/var/www/html”, it only can open/read “var/www/html” and can't do anything to other un-listed file, such as /etc/shadow or something. Then we can use this AppArmor MAC for
10 What is AppArmor /var/www/html /etc/shadow httpd When you use Apparmor, - easy to control permission even if “UID=0”. docker_httpd Tiny shell So here is a graphical example how the AppArmor working. Each process under AppArmor control has domain, called profile. In this example, gray one “docker_httpd” is profile. Each profile, we have to describe which file/dir/object the process can open/write/read, etc… And default permission is “deny”. So If the httpd process with docker is linked with “docker_httpd” profile and the profile is saying it can open/read “/var/www/html”, it only can open/read “var/www/html” and can't do anything to other un-listed file, such as /etc/shadow or something. Then we can use this AppArmor MAC for
Docker /AppArmor Usecase OK, here I'll describe how Docker is working with AppArmor MAC scheme.
12 Docker Security Option Option: --security-opt - After Docker 1.3 - Attach to Container; - SELinux Label - AppArmor Domain We can use AppArmor Access Control!! After Docker 1.3, docker program is having security option, such as “--security-opt”. With this option, we can use SELinux Label or AppArmor Profile with container which is provided by Docker. Then we can use AppArmor Access Control.
13 Docker with AppArmor Sample:) docker –security-opt=apparmor:docker_httpd_web1 XXXX /etc/apparmor.d/local/docker_httpd_web1 #include <tunables/global> profile docker_httpd_web1 flags=(attach_disconnected,mediate_deleted,complain) { #include <abstractions/base> deny @{PROC}/sys/fs/** wklx, } Here is just sample. Docker is created for providing httpd web server. When we wish to run docker+Apache, we will run “docker run XXX –security- opt=apparmor:[Profile Name]”, then the httpd and other process under the docker will run with [Profile Name] profile.
14 Docker with AppArmor docker_httpd_web1 (enforce) 5352 root /usr/bin/python /usr/bin/supervisord docker_httpd_web1 (enforce) 5396 root /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) 5397 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) 5398 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5389 root /usr/bin/python /usr/bin/supervisord docker_httpd_web2 (enforce) 5402 root /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5403 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5404 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND ps axZ So, this is process list. You can see web1 container related process, such as supervisord and httpd, are running with docker_httpd_web1. Also web2 container related process, such as supervisord and httpd, are running with docker_httpd_web2. In this case, what will happen? See next slide.
15 Docker with AppArmor /var/www/html /etc/shadow httpd - Each container(web1/web2) separated with AppArmor domain. - If web2 cracked with zero-day, web1 and others are safe. :-) docker_httpd_web1 /var/www/html httpd(?) docker_httpd_web2 So, web1's httpd are running under docker_httpd_web1. Web2's httpd are also under docker_httpd_web2. If httpd has zero- day issue and malicious user or cracker attack web2's apache and get root access, The malicious user or cracker only can get “docker_httpd_web2” profile. Then, cracker can only do anything with their /var/www/html, but can't do anything to other profile container, such as docker_httpd_web1, or un-listed /etc/shadow etc. Then we can localize the damage to only web2 container.
16 Docker with AppArmor UseCase. Many Single-App-Containers on 1 host. Web Python DB Web1 Web2 Web3 DB Each container has own AppArmor Domain. Web Domain Python Domain DB Domain Web1 Domain Web2 Domain Web3 Domain DB Domain In this senario, we ca run several Web server on 1 host. Each container has it's own AppArmor profile, then the damage will be localized even if we have Zero-day attack.
17 Docker with AppArmor UseCase. Multi-App-Containers on 1 host. Web Python DB Web Python DB Container_1 Domain Inside container , same AppArmor Domain → Not good idea from security point of view. Container_2 Domain But now, let's consider about Multi-App container. For example, the container is running MySQL, HTTPD, and Python. Every process in the container are having same AppArmor Profile. In this case, we can localize the risk in each container, but if httpd have problem, MySQL in same container will have security risk. From security point of view, this is not good idea.
18 AppArmor Domain Transition Domain can transit to another Domain in Profile rule. #include <tunables/global> profile docker_test_parent flags=(…..) { #include <abstractions/base> /usr/sbin/httpd-prefork px -> docker_httpd_web1, deny @{PROC}/mem rwklx,, docker_test_parent_web1 docker_httpd_web1 Docker parent docker_test_parent_web1 docker_httpd_web1 For resolving this issue, we can use Profile transition. It is AppArmor feature, and it's more like process/child process concept. Parent process is using a profile, and there is a description how the profile will transition to other in “the” profile, child process will have new profile. In this example, parent process, docker/supervisord will have docker_test_parent_web1 profile, httpd which is child of the supervisord will have “docker_httpd_web1”, different profile. If we will use this profile tranisiton, we can separate each process's profile in same container.
19 AppArmor Domain Transition docker_test_parent_web1 (enforce) root 2545 /usr/bin/python /usr/bin/supervisord docker_httpd_web1 (enforce) root 2566 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) wwwrun 2583 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) wwwrun 2584 /usr/sbin/httpd-prefork -D FOREGROUND --------------------------------------------------------------------------------------------------------------- docker_test_parent_web2 (enforce) root 2581 /usr/bin/python /usr/bin/supervisord docker_httpd_web2 (enforce) root 2593 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) wwwrun 2594 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) wwwrun 2595 /usr/sbin/httpd-prefork -D FOREGROUND ps axZ So, In this is process list, we can see supervisord for web1 is running with “docker_test_parent_web1” profile, and httpd for web1 is running with docker_httpd_web1. Here is only supervisord and httpd, but we will be able to create other profile for each apps in the container if we have. Such as mysqld, python, and so on.
20 Docker with AppArmor UseCase (with Domain transition) Multi-App-Containers on 1 host. Web Python DB Container 1 DomainWeb_Con1 Py_Con1 DB_Con1 Web Python DB Web_Con2 Py_Con2 DB_Con2 More Safe :) Container 2 Domain So, if we will use Docker + AppArmor with profile transition, we can localize the risk in 1. each container 2. each apps in the container. This will be more safe system, then I wish to recommend this.
Conclusion Concolusion.
22 Conclusion - Docker will be more secure by using “--security-opts”. - Multi-Apps container by Docker will be secured by using AppArmor. :-) So, now we know Docker security risk, but we can control the risk by using AppArmor. For using AppArmor with Docker, we can use “--security-opts” option. And using AppArmor, and profile transition, we can create more secured system with Docker + Multi container.
23 Any Questinos?
24 Thank You!!! 謝謝!!

Recommended

Linux containers & Devops
Linux containers & DevopsLinux containers & Devops
Linux containers & DevopsMaciej Lasyk
 
Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Maciej Lasyk
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 

Recommended

Linux containers & Devops
Linux containers & DevopsLinux containers & Devops
Linux containers & DevopsMaciej Lasyk
 
Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Maciej Lasyk
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Timings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerTimings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerStacy Devino
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
Hands-on VeriFast with STM32 microcontroller @ Osaka
Hands-on VeriFast with STM32 microcontroller @ OsakaHands-on VeriFast with STM32 microcontroller @ Osaka
Hands-on VeriFast with STM32 microcontroller @ OsakaKiwamu Okabe
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization SecurityClaudio Criscione
 
Operating Docker
Operating DockerOperating Docker
Operating DockerJen Andre
 
Apparmor
ApparmorApparmor
Apparmorn|u - The Open Security Community
 

More Related Content

What's hot

Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Timings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerTimings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerStacy Devino
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
Hands-on VeriFast with STM32 microcontroller @ Osaka
Hands-on VeriFast with STM32 microcontroller @ OsakaHands-on VeriFast with STM32 microcontroller @ Osaka
Hands-on VeriFast with STM32 microcontroller @ OsakaKiwamu Okabe
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization SecurityClaudio Criscione
 

What's hot (20)

Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Timings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerTimings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical Hacker
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
 
Docker security
Docker securityDocker security
Docker security
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
Hands-on VeriFast with STM32 microcontroller @ Osaka
Hands-on VeriFast with STM32 microcontroller @ OsakaHands-on VeriFast with STM32 microcontroller @ Osaka
Hands-on VeriFast with STM32 microcontroller @ Osaka
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security
 

Viewers also liked

Operating Docker
Operating DockerOperating Docker
Operating DockerJen Andre
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiMike Goelzer
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Containerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael CrosbyContainerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael CrosbyDocker, Inc.
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Docker, Inc.
 
Docker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David LawrenceDocker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David LawrenceDocker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 

Viewers also liked (9)

Operating Docker
Operating DockerOperating Docker
Operating Docker
 
Apparmor
ApparmorApparmor
Apparmor
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Containerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael CrosbyContainerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael Crosby
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
 
Docker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David LawrenceDocker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David Lawrence
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 

Similar to Docker app armor_usecase

Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfkanedafromparis
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Forensic basics of Docker and Malware
Forensic basics of Docker and MalwareForensic basics of Docker and Malware
Forensic basics of Docker and MalwareIsha Chauhan
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker for developers
Docker for developersDocker for developers
Docker for developersandrzejsydor
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Partner S.A.
 
Docker - Der Wal in der Kiste
Docker - Der Wal in der KisteDocker - Der Wal in der Kiste
Docker - Der Wal in der KisteUlrich Krause
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 
OpenStack Murano introduction
OpenStack Murano introductionOpenStack Murano introduction
OpenStack Murano introductionVictor Zhang
 
Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Commit University
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Securing the Socks Shop
Securing the Socks ShopSecuring the Socks Shop
Securing the Socks ShopJason Smith
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 

Similar to Docker app armor_usecase (20)

Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdf
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 
Forensic basics of Docker and Malware
Forensic basics of Docker and MalwareForensic basics of Docker and Malware
Forensic basics of Docker and Malware
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Docker for developers
Docker for developersDocker for developers
Docker for developers
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: Introduction
 
Docker - Der Wal in der Kiste
Docker - Der Wal in der KisteDocker - Der Wal in der Kiste
Docker - Der Wal in der Kiste
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
What is this "docker"
What is this "docker" What is this "docker"
What is this "docker"
 
OpenStack Murano introduction
OpenStack Murano introductionOpenStack Murano introduction
OpenStack Murano introduction
 
Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Securing the Socks Shop
Securing the Socks ShopSecuring the Socks Shop
Securing the Socks Shop
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 

More from Kazuki Omo

OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.Kazuki Omo
 
Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?Kazuki Omo
 
2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptx2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptxKazuki Omo
 
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)Kazuki Omo
 
Osc2018 tokyo spring_scap
Osc2018 tokyo spring_scapOsc2018 tokyo spring_scap
Osc2018 tokyo spring_scapKazuki Omo
 
Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017Kazuki Omo
 
Cve trends 20170531
Cve trends 20170531Cve trends 20170531
Cve trends 20170531Kazuki Omo
 
SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516Kazuki Omo
 
Postgre SQL security_20170412
Postgre SQL security_20170412Postgre SQL security_20170412
Postgre SQL security_20170412Kazuki Omo
 
OSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会についてOSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会についてKazuki Omo
 
Osc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sigOsc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sigKazuki Omo
 
RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響Kazuki Omo
 
SCAP for openSUSE
SCAP for openSUSESCAP for openSUSE
SCAP for openSUSEKazuki Omo
 
Edb summit 2016_20160216.omo
Edb summit 2016_20160216.omoEdb summit 2016_20160216.omo
Edb summit 2016_20160216.omoKazuki Omo
 

More from Kazuki Omo (15)

OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.
 
Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?
 
2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptx2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptx
 
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
 
Osc2018 tokyo spring_scap
Osc2018 tokyo spring_scapOsc2018 tokyo spring_scap
Osc2018 tokyo spring_scap
 
Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017
 
Cve trends 20170531
Cve trends 20170531Cve trends 20170531
Cve trends 20170531
 
SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516
 
Postgre SQL security_20170412
Postgre SQL security_20170412Postgre SQL security_20170412
Postgre SQL security_20170412
 
OSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会についてOSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会について
 
Osc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sigOsc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sig
 
RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響
 
SCAP for openSUSE
SCAP for openSUSESCAP for openSUSE
SCAP for openSUSE
 
6 anti virus
6 anti virus6 anti virus
6 anti virus
 
Edb summit 2016_20160216.omo
Edb summit 2016_20160216.omoEdb summit 2016_20160216.omo
Edb summit 2016_20160216.omo
 

Recently uploaded

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentVictorSzoltysek
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 

Recently uploaded (20)

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 

Docker app armor_usecase

  • 1. AppArmor UseCases with Docker system Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
  • 2. 2 Who am I ? - Security Researcher/Engineer (15 years) - SELinux/MAC Evangelist (10 years) - SIEM Engineer (3 years) - Linux Engineer (15 years)
  • 3. Security Risks of Docker Applications
  • 4. 4 What is Docker ? (you know...) Docker is - for separate each App UserSpace (container). - cgroups/namespaces for containers. - for App/Userspace Portability → Not for Creating Secure environment!!
  • 5. 5 Security Risks of Docker Applications - Which UID is running your docker container? - root can bypass access control (Discretionary Access Control) - What will happen if App has vulnerability? - What will happen if the OS/kernel has vulnerability? - Can you trust Docker-Hub image? Not only desk theory...
  • 6. 6 Security Risks of Docker Applications - Do you really think “Container” is safety sandbox? ex. VENOM(VM) +Local root Exploit CVE-2014-6408, CVE-2014-6409 We have to Protect Docker process !!
  • 8. 8 What is AppArmor Do you know AppArmor? - Provide “Mandatory Access Control( 制 控制强 访问 )” - Restrict root(UID=0) permission. - Process under AppArmor is in separate domain. - Same as SELinux, but not so complicated. :-p AppArmordomain domain inherit
  • 9. 9 What is AppArmor /var/www/html httpd When you use Apparmor, - easy to control permission even if “UID=0”. docker_httpd /etc/shadow
  • 10. 10 What is AppArmor /var/www/html /etc/shadow httpd When you use Apparmor, - easy to control permission even if “UID=0”. docker_httpd Tiny shell
  • 12. 12 Docker Security Option Option: --security-opt - After Docker 1.3 - Attach to Container; - SELinux Label - AppArmor Domain We can use AppArmor Access Control!!
  • 13. 13 Docker with AppArmor Sample:) docker –security-opt=apparmor:docker_httpd_web1 XXXX /etc/apparmor.d/local/docker_httpd_web1 #include <tunables/global> profile docker_httpd_web1 flags=(attach_disconnected,mediate_deleted,complain) { #include <abstractions/base> deny @{PROC}/sys/fs/** wklx, }
  • 14. 14 Docker with AppArmor docker_httpd_web1 (enforce) 5352 root /usr/bin/python /usr/bin/supervisord docker_httpd_web1 (enforce) 5396 root /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) 5397 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) 5398 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5389 root /usr/bin/python /usr/bin/supervisord docker_httpd_web2 (enforce) 5402 root /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5403 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5404 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND ps axZ
  • 15. 15 Docker with AppArmor /var/www/html /etc/shadow httpd - Each container(web1/web2) separated with AppArmor domain. - If web2 cracked with zero-day, web1 and others are safe. :-) docker_httpd_web1 /var/www/html httpd(?) docker_httpd_web2
  • 16. 16 Docker with AppArmor UseCase. Many Single-App-Containers on 1 host. Web Python DB Web1 Web2 Web3 DB Each container has own AppArmor Domain. Web Domain Python Domain DB Domain Web1 Domain Web2 Domain Web3 Domain DB Domain
  • 17. 17 Docker with AppArmor UseCase. Multi-App-Containers on 1 host. Web Python DB Web Python DB Container_1 Domain Inside container , same AppArmor Domain → Not good idea from security point of view. Container_2 Domain
  • 18. 18 AppArmor Domain Transition Domain can transit to another Domain in Profile rule. #include <tunables/global> profile docker_test_parent flags=(…..) { #include <abstractions/base> /usr/sbin/httpd-prefork px -> docker_httpd_web1, deny @{PROC}/mem rwklx,, docker_test_parent_web1 docker_httpd_web1 Docker parent docker_test_parent_web1 docker_httpd_web1
  • 19. 19 AppArmor Domain Transition docker_test_parent_web1 (enforce) root 2545 /usr/bin/python /usr/bin/supervisord docker_httpd_web1 (enforce) root 2566 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) wwwrun 2583 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) wwwrun 2584 /usr/sbin/httpd-prefork -D FOREGROUND --------------------------------------------------------------------------------------------------------------- docker_test_parent_web2 (enforce) root 2581 /usr/bin/python /usr/bin/supervisord docker_httpd_web2 (enforce) root 2593 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) wwwrun 2594 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) wwwrun 2595 /usr/sbin/httpd-prefork -D FOREGROUND ps axZ
  • 20. 20 Docker with AppArmor UseCase (with Domain transition) Multi-App-Containers on 1 host. Web Python DB Container 1 DomainWeb_Con1 Py_Con1 DB_Con1 Web Python DB Web_Con2 Py_Con2 DB_Con2 More Safe :) Container 2 Domain
  • 22. 22 Conclusion - Docker will be more secure by using “--security-opts”. - Multi-Apps container by Docker will be secured by using AppArmor. :-)
  • 25. AppArmor UseCases with Docker system Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc. Hello Everyone Thanks for attending this session. In this session, I'll discuss the Docker's security issues, and how we can control the issues with AppAromor.
  • 26. 2 Who am I ? - Security Researcher/Engineer (15 years) - SELinux/MAC Evangelist (10 years) - SIEM Engineer (3 years) - Linux Engineer (15 years) Here is my background for security and OSS area. I spent almost 15 years for Security Researching and Business. Also I have experience to inplement those kind of Security Product to customer(Big customer to small). And I was working as SELinux(you know) Evangelist 4 years.
  • 27. Security Risks of Docker Applications At first. I wish to discuss how the docker's security Risk.
  • 28. 4 What is Docker ? (you know...) Docker is - for separate each App UserSpace (container). - cgroups/namespaces for containers. - for App/Userspace Portability → Not for Creating Secure environment!! So, I guess almost everyone in here have experience to use Docker with your Linux+Application. The Docker's concept is making container by using cgroups/namespaces/capabilities with current Linux system. Sometime we imagine it's concept is similar as chroot, but Docker is more flexible system. Then current IT engineer, admin or dev or vendor are interested to use Docker with their system. But we should imagine that the Docker's concept is “making container for running several Apps on same OS/system”, and the concept is not coming from “How to create secure container.”
  • 29. 5 Security Risks of Docker Applications - Which UID is running your docker container? - root can bypass access control (Discretionary Access Control) - What will happen if App has vulnerability? - What will happen if the OS/kernel has vulnerability? - Can you trust Docker-Hub image? Not only desk theory... So, these are famous questions when we are discussing about Docker's security scheme issue. Docker's problem is 1. not using it's own UID, and docker process are running by “root”. So if docker is having any critical issue, we might have issue to get root priviledge by cracker. 2. And root can do anything, then the cracker can do anything on your OS. So now we have to think about “how can we protect docker process by cracker”.
  • 30. 6 Security Risks of Docker Applications - Do you really think “Container” is safety sandbox? ex. VENOM(VM) +Local root Exploit CVE-2014-6408, CVE-2014-6409 We have to Protect Docker process !! So, these are famous questions when we are discussing about Docker's security scheme issue. Docker's problem is 1. not using it's own UID, and docker process are running by “root”. So if docker is having any critical issue, we might have issue to get root priviledge by cracker. 2. And root can do anything, then the cracker can do anything on your OS. So now we have to think about “how can we protect docker process by cracker”.
  • 31. What is AppArmor OK, in next step, I wish to talk a little bit about AppArmor.
  • 32. 8 What is AppArmor Do you know AppArmor? - Provide “Mandatory Access Control( 制 控制强 访问 )” - Restrict root(UID=0) permission. - Process under AppArmor is in separate domain. - Same as SELinux, but not so complicated. :-p AppArmordomain domain inherit So, in here, how many people know about AppArmor? Have you experience to use AppArmor on your system? Thanks. Here I described what is AppArmor. The AppArmor is providing Mandatory Access Control to your Linux. Usually, root can escape OS Access Control, DAC. But in MAC, even if root can not escape Access Control, and control by MAC ACL. This MAC can reduce the root/privileged ID's risk in the process. Most famous MAC system is SELinux, but it's a little bit messy to use in Actual system. AppArmor is more easy to understand, and
  • 33. 9 What is AppArmor /var/www/html httpd When you use Apparmor, - easy to control permission even if “UID=0”. docker_httpd /etc/shadow So here is a graphical example how the AppArmor working. Each process under AppArmor control has domain, called profile. In this example, gray one “docker_httpd” is profile. Each profile, we have to describe which file/dir/object the process can open/write/read, etc… And default permission is “deny”. So If the httpd process with docker is linked with “docker_httpd” profile and the profile is saying it can open/read “/var/www/html”, it only can open/read “var/www/html” and can't do anything to other un-listed file, such as /etc/shadow or something. Then we can use this AppArmor MAC for
  • 34. 10 What is AppArmor /var/www/html /etc/shadow httpd When you use Apparmor, - easy to control permission even if “UID=0”. docker_httpd Tiny shell So here is a graphical example how the AppArmor working. Each process under AppArmor control has domain, called profile. In this example, gray one “docker_httpd” is profile. Each profile, we have to describe which file/dir/object the process can open/write/read, etc… And default permission is “deny”. So If the httpd process with docker is linked with “docker_httpd” profile and the profile is saying it can open/read “/var/www/html”, it only can open/read “var/www/html” and can't do anything to other un-listed file, such as /etc/shadow or something. Then we can use this AppArmor MAC for
  • 35. Docker /AppArmor Usecase OK, here I'll describe how Docker is working with AppArmor MAC scheme.
  • 36. 12 Docker Security Option Option: --security-opt - After Docker 1.3 - Attach to Container; - SELinux Label - AppArmor Domain We can use AppArmor Access Control!! After Docker 1.3, docker program is having security option, such as “--security-opt”. With this option, we can use SELinux Label or AppArmor Profile with container which is provided by Docker. Then we can use AppArmor Access Control.
  • 37. 13 Docker with AppArmor Sample:) docker –security-opt=apparmor:docker_httpd_web1 XXXX /etc/apparmor.d/local/docker_httpd_web1 #include <tunables/global> profile docker_httpd_web1 flags=(attach_disconnected,mediate_deleted,complain) { #include <abstractions/base> deny @{PROC}/sys/fs/** wklx, } Here is just sample. Docker is created for providing httpd web server. When we wish to run docker+Apache, we will run “docker run XXX –security- opt=apparmor:[Profile Name]”, then the httpd and other process under the docker will run with [Profile Name] profile.
  • 38. 14 Docker with AppArmor docker_httpd_web1 (enforce) 5352 root /usr/bin/python /usr/bin/supervisord docker_httpd_web1 (enforce) 5396 root /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) 5397 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) 5398 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5389 root /usr/bin/python /usr/bin/supervisord docker_httpd_web2 (enforce) 5402 root /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5403 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) 5404 wwwrun /usr/sbin/httpd-prefork -D FOREGROUND ps axZ So, this is process list. You can see web1 container related process, such as supervisord and httpd, are running with docker_httpd_web1. Also web2 container related process, such as supervisord and httpd, are running with docker_httpd_web2. In this case, what will happen? See next slide.
  • 39. 15 Docker with AppArmor /var/www/html /etc/shadow httpd - Each container(web1/web2) separated with AppArmor domain. - If web2 cracked with zero-day, web1 and others are safe. :-) docker_httpd_web1 /var/www/html httpd(?) docker_httpd_web2 So, web1's httpd are running under docker_httpd_web1. Web2's httpd are also under docker_httpd_web2. If httpd has zero- day issue and malicious user or cracker attack web2's apache and get root access, The malicious user or cracker only can get “docker_httpd_web2” profile. Then, cracker can only do anything with their /var/www/html, but can't do anything to other profile container, such as docker_httpd_web1, or un-listed /etc/shadow etc. Then we can localize the damage to only web2 container.
  • 40. 16 Docker with AppArmor UseCase. Many Single-App-Containers on 1 host. Web Python DB Web1 Web2 Web3 DB Each container has own AppArmor Domain. Web Domain Python Domain DB Domain Web1 Domain Web2 Domain Web3 Domain DB Domain In this senario, we ca run several Web server on 1 host. Each container has it's own AppArmor profile, then the damage will be localized even if we have Zero-day attack.
  • 41. 17 Docker with AppArmor UseCase. Multi-App-Containers on 1 host. Web Python DB Web Python DB Container_1 Domain Inside container , same AppArmor Domain → Not good idea from security point of view. Container_2 Domain But now, let's consider about Multi-App container. For example, the container is running MySQL, HTTPD, and Python. Every process in the container are having same AppArmor Profile. In this case, we can localize the risk in each container, but if httpd have problem, MySQL in same container will have security risk. From security point of view, this is not good idea.
  • 42. 18 AppArmor Domain Transition Domain can transit to another Domain in Profile rule. #include <tunables/global> profile docker_test_parent flags=(…..) { #include <abstractions/base> /usr/sbin/httpd-prefork px -> docker_httpd_web1, deny @{PROC}/mem rwklx,, docker_test_parent_web1 docker_httpd_web1 Docker parent docker_test_parent_web1 docker_httpd_web1 For resolving this issue, we can use Profile transition. It is AppArmor feature, and it's more like process/child process concept. Parent process is using a profile, and there is a description how the profile will transition to other in “the” profile, child process will have new profile. In this example, parent process, docker/supervisord will have docker_test_parent_web1 profile, httpd which is child of the supervisord will have “docker_httpd_web1”, different profile. If we will use this profile tranisiton, we can separate each process's profile in same container.
  • 43. 19 AppArmor Domain Transition docker_test_parent_web1 (enforce) root 2545 /usr/bin/python /usr/bin/supervisord docker_httpd_web1 (enforce) root 2566 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) wwwrun 2583 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web1 (enforce) wwwrun 2584 /usr/sbin/httpd-prefork -D FOREGROUND --------------------------------------------------------------------------------------------------------------- docker_test_parent_web2 (enforce) root 2581 /usr/bin/python /usr/bin/supervisord docker_httpd_web2 (enforce) root 2593 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) wwwrun 2594 /usr/sbin/httpd-prefork -D FOREGROUND docker_httpd_web2 (enforce) wwwrun 2595 /usr/sbin/httpd-prefork -D FOREGROUND ps axZ So, In this is process list, we can see supervisord for web1 is running with “docker_test_parent_web1” profile, and httpd for web1 is running with docker_httpd_web1. Here is only supervisord and httpd, but we will be able to create other profile for each apps in the container if we have. Such as mysqld, python, and so on.
  • 44. 20 Docker with AppArmor UseCase (with Domain transition) Multi-App-Containers on 1 host. Web Python DB Container 1 DomainWeb_Con1 Py_Con1 DB_Con1 Web Python DB Web_Con2 Py_Con2 DB_Con2 More Safe :) Container 2 Domain So, if we will use Docker + AppArmor with profile transition, we can localize the risk in 1. each container 2. each apps in the container. This will be more safe system, then I wish to recommend this.
  • 46. 22 Conclusion - Docker will be more secure by using “--security-opts”. - Multi-Apps container by Docker will be secured by using AppArmor. :-) So, now we know Docker security risk, but we can control the risk by using AppArmor. For using AppArmor with Docker, we can use “--security-opts” option. And using AppArmor, and profile transition, we can create more secured system with Docker + Multi container.