Disable AppArmor for Docker for ptrace_scope

About

Asked 6/5, 2016 at 12:29 Answered 1/9, 2016 at 17:50

Is it possible to disable AppArmor for a particular Docker container? I want to make ptrace accessible so I can attach gdb to a running process but run into the following issue when I want to change the setting:

root@fbf728150308:/gopath# echo 0 > /proc/sys/kernel/yama/ptrace_scope
bash: /proc/sys/kernel/yama/ptrace_scope: Read-only file system

Phytohormone answered 6/5, 2016 at 12:29 Comment(0)

AppArmor can be disabled either by running unconfined, or as a privileged container:

--security-opt apparmor=unconfined (or apparmor:unconfined for docker 1.10 and below)
--privileged

However, a better option is to create a new profile that enables ptrace. You can use the docker AppArmor profile as a starting point (found in /etc/apparmor.d/docker), and append the ptrace peer=@{profile_name}.

You will also need to disable seccomp (unless using privileged), through --security-opt seccomp=unconfined

Airline answered 1/9, 2016 at 17:50 Comment(4)

See also docker run --cap-add SYS_PTRACE. docs.docker.com/engine/reference/run/… – Anthropopathy 20/6, 2019 at 23:2

/etc/apparmor.d/docker does not seem to exist anymore in Docker > v1.13 – Lola 26/2, 2021 at 19:16

@Peter, I installed the snap version and that would be under the /snap/... but it's not there either. It would be good to have a copy of that file (or a link to it). – Budgie 28/10, 2021 at 18:57

I found it, it's under a separate folder (i.e. not /etc/...) /var/lib/snapd/apparmor/profiles/snap.docker.docker. That makes sense since we want to be able to edit these files and all /snap/... are read-only. – Budgie 28/10, 2021 at 21:41

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags