Stack Overflow
Stack Overflow

Questions tagged [apparmor]

AppArmor is a Linux Security Module (LSM) for Linux kernels. It implements Mandatory Access Control to confine programs within their limited set of resources.

125 questions
36
votes
13 answers

Snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

I have been using snap for some time but after a recent upgrade, I get this error when I try opening any application Snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation…
ROOT-X17
  • 463
  • 1
  • 4
  • 8
23
votes
9 answers

How to stop running Container, if error response from daemon is: Cannot Kill Container [...] permission denied?

Tough task: Everytime I try to stop or kill a running container, I get permission denied as an error response from Daemon. I just started learning how to use docker by using a Ubuntu18.04 VM. I was running a container for the first time. I was not…
icoe
  • 539
  • 1
  • 3
  • 9
12
votes
5 answers

docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded

I install docker-ce 19.03.3, on ubuntu 19.04 following the installation procedure described on the official website. The installation worked well. But when I wanted to test by creating a container, I have this error: Error response from daemon:…
william kouwonou
  • 121
  • 1
  • 1
  • 4
10
votes
1 answer

How does AppArmor do "Environment Scrubbing"?

The AppArmor documentation mentions giving applications the ability to execute other programs with or without enviroment scrubbing. Apparently a scrubbed environment is more secure, but the documentation doesn't seem to specify exactly how…
joeforker
  • 40,459
  • 37
  • 151
  • 246
10
votes
1 answer

apparmor profile for a java application run run with java -jar

I am working with logstash and it is unable to read some log files. To be able to read, I think I have to add a profile in apparmor but am pretty lost at this point. The app is run as: java -jar .... Do I have to add a profile for java or is there…
Sushil
  • 390
  • 2
  • 15
8
votes
2 answers

What does rwk stands for?

I just check /etc/apparmor.d/usr.sbin.mysqld I saw, /var/lib/mysql/** rwk, // what is rwk stand for ? Is it read, write?? then what does k stands for? /var/log/mysql/ r, What does rwk stands for?
Deepak Ingole
  • 14,912
  • 10
  • 47
  • 79
6
votes
2 answers

Can't apply AppArmor profile on container: "no such file or directory"

I am trying to apply the following simple AppArmor profile: #include profile docker-profile flags=(attach_disconnected,mediate_deleted) { #include #network, #capability, #file, #umount, #ptrace, …
E235
  • 11,560
  • 24
  • 91
  • 141
6
votes
2 answers

Where is docker's apparmor profile?

The following issue takes place in Debian Jessie (under Vagrant): The docker documentation claims that an apparmor profile is automatically placed in /etc/apparmor.d/docker, yet when I list the contents of this directory, it it is not to be…
Louis Thibault
  • 20,240
  • 25
  • 83
  • 152
5
votes
1 answer

R and getpwuid()

I am sandboxing R on Ubuntu 11.10 using apparmor. One thing I noticed is that for every png or pdf plot that R creates, it shows the warning: (process:4589): GLib-WARNING **: getpwuid_r(): failed due to: Permission denied. However, even though read…
Jeroen Ooms
  • 31,998
  • 35
  • 134
  • 207
5
votes
1 answer

How to limit the size of subprocess stdout and stderr in python

I need to run applications submitted by users. My code looks like: def run_app(app_path): inp = open("app.in", "r") otp = open("app.out", "w") return subprocess.call(app_path, stdout=otp, stdin=inp) Now since I have no control over…
Maruf Maniruzzaman
  • 441
  • 3
  • 13
5
votes
0 answers

How do I create an apparmor profile for an application that runs using Python's twisted library?

I'm trying to create an apparmor profile for a networking application with access to ssh and runs using Python's twisted library. I have tried using aa-genprof to generate a profile. In another bash, I ran my applications with a few test cases.…
Kareem Kamel
  • 51
  • 3
4
votes
1 answer

Apparmor: is it possible to call another executable from within an executable?

I have a problem I am not sure how to solve in AppArmor. Basically I have a profile that executes a program, let us say profile myprof { /my/executable ix, } The problem is that from that executable, I call another, spawning a process, let us…
Germán Diago
  • 7,473
  • 1
  • 36
  • 59
4
votes
1 answer

AppArmor deny all except one path

In AppArmor for docker on Ubuntu, I have a directory /var/www that contains a bunch of virtual hosts' files. I want to deny all paths except one, so that each virtual host only sees their own files. I've tried so many things like: deny…
Nick Lang
  • 469
  • 6
  • 16
4
votes
0 answers

Is SELinux significantly more secure than AppArmor for Docker containers?

My understanding is that both AppArmor and SELinux implement a Mandatory Access Control (MAC) system that provides an additional security layer of isolation between containers and that Docker comes with default policies for both. However, SELinux…
ghodss
  • 1,329
  • 1
  • 9
  • 9
4
votes
0 answers

How to use apparmor inside lxc container?

I have lxc container 'foo' created with ubuntu template in: /var/lib/lxc/foo/. I have file a.out in /var/lib/lxc/foo/rootfs/home/ubuntu/test/ (or /home/ubuntu/test/ as visible from inside container). I would like to use apparmor to prevent a.out…
JonnySnickers
  • 73
  • 5
1
2 3
8 9