I would like to allow a container to write to its own virtual disk (/etc), but prevent it from accessing the real disk (/etc). I believe this is possible with SELinux by using labels, but is it also possible with AppArmor? I haven't found any online examples of this.
Reproducible example:
cat > /etc/apparmor.d/containers/docker-empty <<EOF
#include <tunables/global>
profile docker-empty flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
file,
deny /etc/** wl,
capability chown,
capability dac_override,
capability setuid,
capability setgid,
capability net_bind_service,
}
EOF
apparmor_parser -r -W /etc/apparmor.d/containers/docker-empty
# docker ignores apparmor setting, so podman must be used
# pass (should pass)
podman run --security-opt "apparmor=docker-empty" --rm -it debian:12 touch /test
# fail (should pass)
podman run --security-opt "apparmor=docker-empty" --rm -it debian:12 touch /etc/test
# pass (should fail)
podman run --security-opt "apparmor=docker-empty" --rm -it -v /:/realroot debian:12 touch /realroot/test
# pass (should fail)
podman run --security-opt "apparmor=docker-empty" --rm -it -v /:/realroot debian:12 touch /realroot/etc/test
The last one is especially annoying, because the AppArmor profile prevents access to the virtual /etc, but doesn't block access to the real /etc since it is mounted in a different path, /realroot/etc.
