Skip to content

Instantly share code, notes, and snippets.

@esev

esev/docker-grafana Secret

Created September 29, 2023 23:52
Show Gist options
  • Save esev/c5af1618bb70caad4aed7e94b6c53066 to your computer and use it in GitHub Desktop.
Save esev/c5af1618bb70caad4aed7e94b6c53066 to your computer and use it in GitHub Desktop.
Download ZIP
AppArmor profiles
Raw
docker-grafana
#include <tunables/global>
profile docker-grafana flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
# /run.sh is the entrypoint. Will be permissive here and more strict for
# the /usr/share/grafana/bin/grafana profile.
/run.sh r,
/etc/** r,
/dev/tty rw,
/bin/busybox ux,
/usr/share/grafana/bin/grafana mrCx,
profile /usr/share/grafana/bin/grafana {
#include <abstractions/base>
#include <abstractions/ssl_certs>
network tcp, # HTTP/S.
network udp, # DNS.
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/resolv.conf r,
/etc/grafana/** r,
/proc/[1-9]/{cpuset,limits,stat,fd/} r,
/proc/sys/net/core/somaxconn r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/usr/share/grafana/** r,
/usr/share/grafana/bin/grafana mr,
/var/lib/grafana/ r,
/var/lib/grafana/** r,
/var/lib/grafana/{alerting,csv,png}/ rw,
/var/lib/grafana/{alerting,csv,png}/** rw,
/var/lib/grafana/grafana.db{,-journal} rwk,
# Noisy things that don't need to be allowed.
deny network netlink,
}
}
Raw
docker-loki
#include <tunables/global>
profile docker-loki flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/ssl_certs>
network tcp, # HTTP/S.
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/resolv.conf r,
/etc/loki/loki.yaml r,
/loki/** rwk,
/proc/[1-9]/{cpuset,limits,stat,fd/} r,
/proc/sys/net/core/somaxconn r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/tmp/* rwk,
/usr/bin/loki rix,
# Noisy things that don't need to be allowed.
deny network udp,
deny network netlink,
deny /bin/busybox x,
}
Raw
docker-promtail
#include <tunables/global>
profile docker-promtail flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
network tcp, # Loki.
network udp, # DNS.
/etc/geoip/* r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/resolv.conf r,
/etc/promtail/promtail.yaml r,
/etc/promtail/service_account.json r,
/etc/promtail/{,.}positions.yaml* rw,
/proc/[1-9]/{limits,stat,fd/} r,
/proc/sys/net/core/somaxconn r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/tmp/.positions.yaml* rw,
/usr/bin/promtail r,
/var/log/journal/ r,
/var/log/journal/** r,
/var/lib/docker/containers/ r,
/var/lib/docker/containers/*/ r,
/var/lib/docker/containers/*/*-json.log r,
# Noisy things that don't need to be allowed.
deny network netlink,
}
Raw
docker-traefik
#include <tunables/global>
profile docker-traefik flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
capability net_bind_service,
network tcp, # HTTP/S.
network udp, # DNS/HTTP3.
network unix, # Docker socket.
deny network netlink, # Noisy; suppress logging.
r /entrypoint.sh,
r /etc/gcloud.json,
r /etc/hosts,
r /etc/os-release,
r /etc/resolv.conf,
r /etc/nsswitch.conf,
r /etc/ssl/certs/,
r /etc/ssl/certs/**,
r /etc/traefik/file-providers/,
r /etc/traefik/file-providers/*,
rw /etc/traefik/acme.json,
r /proc/meminfo,
r /proc/stat,
r /proc/sys/net/core/somaxconn,
r /proc/[1-9]/{cgroup,limits,stat,fd/},
r /sys/kernel/mm/transparent_hugepage/hpage_pmd_size,
rix /usr/local/bin/traefik,
r /usr/share/ca-certificates/**,
rw /var/run/docker_proxy/docker_proxy.sock,
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment