Linux Security Modules development
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: shrawan kumar <connect.shrawan@gmail.com>,
	Casey Schaufler <casey.schaufler@intel.com>,
	smack-discuss-owner@lists.01.org
Cc: Linux Security Module list 
	<linux-security-module@vger.kernel.org>,
	John Johansen <john.johansen@canonical.com>
Subject: Re: smack ( on host ) + apparmor ( on docker ) - possible ?
Date: Thu, 25 Apr 2019 08:52:00 -0700	[thread overview]
Message-ID: <8234adc6-18c6-feab-ca04-d4cfbc64373f@schaufler-ca.com> (raw)
In-Reply-To: <CALuYEFrJfWAqr=po=ELqvMsFftxpoO0QHA5_CJgd5e2p0h0euw@mail.gmail.com>

On 4/24/2019 9:37 PM, shrawan kumar wrote:
> Dear Casey ,
>
> For one of my embedded project ,?? the requirement is to run a set of 
> process under *Docker* and each process inside Docker needs to be 
> sandboxed using *AppArmour*. However, the host from where Docker is 
> launched is *Smack* enabled . We are using *smack* as default security 
> on host .
>
> Is the above combination possible ?

With the current upstream kernel, no. You can't run more
than one "major" security module at a time. As of 5.1 you
will have more flexibility, but still not enough for Smack
and AppArmor to coexist. Development is underway for the
next phase of module stacking, which will be proposed for
5.3 and can be found:

git://github.com/cschaufler/lsm-stacking.git#stack-5.1-rc2-apparmor

With this patch set you can run Smack and AppArmor together.
What I don't know is how you would configure AppArmor so that
you can sub-configure your containers. I've added John Johansen
to the thread. He is the AppArmor expert who has been working
on AppArmor namespaces.

To the best of my knowledge no one has done what you want,
but supporting your configuration is an explicit goal. We
would be more than happy to help you in your efforts.

> Thanks and Regards
> Shrawan

       reply	other threads:[~2019-04-25 15:52 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CALuYEFrJfWAqr=po=ELqvMsFftxpoO0QHA5_CJgd5e2p0h0euw@mail.gmail.com>
2019-04-25 15:52 ` Casey Schaufler [this message]
2019-04-25 19:22   ` smack ( on host ) + apparmor ( on docker ) - possible ? John Johansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8234adc6-18c6-feab-ca04-d4cfbc64373f@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=casey.schaufler@intel.com \
    --cc=connect.shrawan@gmail.com \
    --cc=john.johansen@canonical.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=smack-discuss-owner@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox