Is there support for AppArmor tools in Torizon? It looks like AppArmor isn’t enabled in Torizon Linux. We’d like to create profiles for Docker containers to add an additional layer of security.
If AppArmor isn’t available, is there a similar security tool already enabled in Torizon Linux that we could use instead?
Greetings @jags,
You are correct that we don’t have AppArmor enabled in Torizon OS.
That said, we’d still like to learn more about your use-case and request here.
Could you elaborate on exactly what your goal and use-case would be here? For example is it simply just to create profiles to restrict access to certain capabilities inside running containers, or is your goal different/more than this?
Once we have a good summary of your use-case we can pass this on to our product team for further discussion and consideration.
Also, is this something that is blocking/required for your product, or is it more of a nice to have? This would also be helpful to know.
Best Regards,
Jeremias
Hi Jeremias,
Our goal is to introduce an additional layer of access restrictions. While these restrictions can be configured through Docker settings, we also plan to create a dedicated security profile that defines controls such as capability removal, file system access limitations, and other constraints, and then assign this profile to the container.
This approach ensures that even if someone is able to compromise the container, they would still need to bypass this additional security layer.
These are our current thoughts. If you have any other suggestions or recommendations, we would be happy to consider them.
Thanks,
Jagtar
I see, thank you for elaborating on your use-case.
Considering what you described have you have you also considered Seccomp security profiles?: Seccomp security profiles for Docker | Docker Docs
This should be enabled already in Torizon OS. I do realize Seccomp is not a one-to-one in terms of functionality with AppArmor. But, I was wondering if Seccomp is sufficient for your needs, or you truly need something like AppArmor.
Furthermore, is this something you urgently need, and if so in what kind of time-frame would you need it?
This kind of information is important if I go ahead and pass this request to our product team. So please provide as accurate information as you can.
Best Regards,
Jeremias
Hi Jeremias,
I reviewed Seccomp security profiles. They provide low-level protection, such as kernel hardening and syscall restriction, but they do not control filesystem or device access. Those controls are handled by AppArmor.
While Seccomp is still useful, we would also benefit from using AppArmor. Do you have an estimate of how long it would take to enable AppArmor?
Thanks,
Jagtar
but they do not control filesystem or device access. Those controls are handled by AppArmor.
Understood, just wanted to check beforehand to be sure.
Do you have an estimate of how long it would take to enable AppArmor?
Given the information you have provided so far. I still need to make a formal request for this feature to our product team. They will then decide on priority and scheduling for the work to be done. Meaning it’s a bit premature at the moment to give any kind of rough timeline.
Since you’re asking about timeline, is this something you require urgently on your side? Is there a timeline where you need this feature in Torizon OS? If so, could you give us an idea of when?
Best Regards,
Jeremias
Hi Jeremias,
Yes, this is something we require urgently on our side. Ideally, we would like to have this feature available as soon as possible. If you could share an estimated timeline or any tentative milestones, that would really help us plan accordingly.
Thanks,
Jagtar
Yes, this is something we require urgently on our side. Ideally, we would like to have this feature available as soon as possible.
Understood I’ll mark this as urgently needed by you on the internal feature request.
If you could share an estimated timeline or any tentative milestones, that would really help us plan accordingly.
Our product team will first need to look at and discuss the feature request before any kind of prioritization or timeline can be made. I’ll try to update you once any new information on our side comes about.
Best Regards,
Jeremias
