From 946fe8e08d9debcafe76ee60d69261a0c0990368 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Tue, 5 May 2026 15:24:24 +0200
Subject: [PATCH] apparmor: Deny AF_ALG sockets in default container profile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The AF_ALG address family exposes the Linux kernel crypto API to
userspace via sockets. This has been a source of container escape
vulnerabilities (see https://copy.fail/).

Unlike seccomp, which can only filter arguments of the direct socket(2)
syscall, AppArmor hooks into the kernel's security_socket_create() LSM
callback, which fires regardless of the syscall entry point.
This means AppArmor also blocks AF_ALG sockets created via the legacy
socketcall(2) multiplexer (used by 32-bit binaries), which seccomp
cannot inspect because the address family is behind a userspace pointer
that BPF cannot dereference.

The "deny network alg," rule is placed right after the blanket
"network," allow rule so the deny takes precedence for this specific
address family.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 apparmor/template.go                               | 2 ++
 apparmor/testdata/default.golden                   | 2 ++
 apparmor/testdata/with-abstractions-base.golden    | 2 ++
 apparmor/testdata/with-api3.golden                 | 2 ++
 apparmor/testdata/with-custom-imports.golden       | 2 ++
 apparmor/testdata/with-custom-inner-imports.golden | 2 ++
 apparmor/testdata/with-daemon-profile.golden       | 2 ++
 apparmor/testdata/with-spaces.golden               | 2 ++
 apparmor/testdata/with-tunables.golden             | 2 ++
 9 files changed, 18 insertions(+)

diff --git a/apparmor/template.go b/apparmor/template.go
index 201bb71..4694a6c 100644
--- a/apparmor/template.go
+++ b/apparmor/template.go
@@ -32,6 +32,8 @@ profile "{{.Name}}" flags=(attach_disconnected,mediate_deleted) {
 {{- end}}{{if .InnerImports}}
 {{end}}
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,
diff --git a/apparmor/testdata/default.golden b/apparmor/testdata/default.golden
index b029d28..ad47f53 100644
--- a/apparmor/testdata/default.golden
+++ b/apparmor/testdata/default.golden
@@ -5,6 +5,8 @@
 
 profile "default" flags=(attach_disconnected,mediate_deleted) {
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,
diff --git a/apparmor/testdata/with-abstractions-base.golden b/apparmor/testdata/with-abstractions-base.golden
index e4e355b..af1f617 100644
--- a/apparmor/testdata/with-abstractions-base.golden
+++ b/apparmor/testdata/with-abstractions-base.golden
@@ -7,6 +7,8 @@ profile "abstractions-base" flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,
diff --git a/apparmor/testdata/with-api3.golden b/apparmor/testdata/with-api3.golden
index a796392..66a59a6 100644
--- a/apparmor/testdata/with-api3.golden
+++ b/apparmor/testdata/with-api3.golden
@@ -5,6 +5,8 @@ abi <abi/3.0>,
 
 profile "with-api3" flags=(attach_disconnected,mediate_deleted) {
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,
diff --git a/apparmor/testdata/with-custom-imports.golden b/apparmor/testdata/with-custom-imports.golden
index 46a200b..23f35e5 100644
--- a/apparmor/testdata/with-custom-imports.golden
+++ b/apparmor/testdata/with-custom-imports.golden
@@ -7,6 +7,8 @@
 
 profile "custom-imports" flags=(attach_disconnected,mediate_deleted) {
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,
diff --git a/apparmor/testdata/with-custom-inner-imports.golden b/apparmor/testdata/with-custom-inner-imports.golden
index ec1d975..4fa5c9a 100644
--- a/apparmor/testdata/with-custom-inner-imports.golden
+++ b/apparmor/testdata/with-custom-inner-imports.golden
@@ -8,6 +8,8 @@ profile "custom-inner-imports" flags=(attach_disconnected,mediate_deleted) {
   #include <something/bar>
 
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,
diff --git a/apparmor/testdata/with-daemon-profile.golden b/apparmor/testdata/with-daemon-profile.golden
index f1fb4a5..a4c7a09 100644
--- a/apparmor/testdata/with-daemon-profile.golden
+++ b/apparmor/testdata/with-daemon-profile.golden
@@ -5,6 +5,8 @@
 
 profile "with-daemon-profile" flags=(attach_disconnected,mediate_deleted) {
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,
diff --git a/apparmor/testdata/with-spaces.golden b/apparmor/testdata/with-spaces.golden
index 73298eb..0d164cf 100644
--- a/apparmor/testdata/with-spaces.golden
+++ b/apparmor/testdata/with-spaces.golden
@@ -5,6 +5,8 @@
 
 profile "Profile with spaces" flags=(attach_disconnected,mediate_deleted) {
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,
diff --git a/apparmor/testdata/with-tunables.golden b/apparmor/testdata/with-tunables.golden
index ad17c21..bb862e9 100644
--- a/apparmor/testdata/with-tunables.golden
+++ b/apparmor/testdata/with-tunables.golden
@@ -5,6 +5,8 @@
 
 profile "tunables" flags=(attach_disconnected,mediate_deleted) {
   network,
+  # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/
+  deny network alg,
   capability,
   file,
   umount,