我想允许容器写入其自己的虚拟磁盘 (/etc),但阻止它访问真实磁盘 (/etc)。我相信这可以通过使用标签在 SELinux 中实现,但也可以用于 AppArmor 吗?我还没有找到任何在线示例。
可重现的示例:
cat > /etc/apparmor.d/containers/docker-empty <<EOF
#include <tunables/global>
profile docker-empty flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
file,
deny /etc/** wl,
capability chown,
capability dac_override,
capability setuid,
capability setgid,
capability net_bind_service,
}
EOF
apparmor_parser -r -W /etc/apparmor.d/containers/docker-empty
# docker ignores apparmor setting, so podman must be used
# pass (should pass)
podman run --security-opt "apparmor=docker-empty" --rm -it debian:12 touch /test
# fail (should pass)
podman run --security-opt "apparmor=docker-empty" --rm -it debian:12 touch /etc/test
# pass (should fail)
podman run --security-opt "apparmor=docker-empty" --rm -it -v /:/realroot debian:12 touch /realroot/test
# pass (should fail)
podman run --security-opt "apparmor=docker-empty" --rm -it -v /:/realroot debian:12 touch /realroot/etc/test
最后一个特别烦人,因为 AppArmor 配置文件阻止访问虚拟/etc
,但不会阻止访问真实,/etc
因为它安装在不同的路径中/realroot/etc
。