Last active
November 26, 2020 13:26
-
-
Save ewindisch/1b24dcda52e11b63d306 to your computer and use it in GitHub Desktop.
docker apparmor profile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <tunables/global> | |
| profile /usr/bin/docker flags=(attach_disconnected, chroot_relative) { | |
| # Daemon requirements | |
| signal, | |
| ipc rw, | |
| network, | |
| capability, | |
| mount -> /var/lib/docker/**, | |
| mount -> /, | |
| mount -> /proc/**, | |
| mount -> /sys/**, | |
| umount, | |
| pivot_root, | |
| /var/lib/docker/* rw, | |
| /var/run/docker.sock rw, | |
| /sbin/apparmor_parser rix, | |
| /sbin/xtables-multi rix, | |
| /sbin/iptables rix, | |
| /sbin/modprobe rix, | |
| /usr/bin/docker rix, | |
| /sbin/auplink rix, | |
| /usr/bin/xz rix, | |
| # Client requirements... | |
| /var/run/docker.sock rw, | |
| /proc/sys/net/core/somaxconn r, | |
| /proc/sys/kernel/cap_last_cap r, | |
| /run/docker.sock rw, | |
| # For accessing build contexts, local cp, etc. | |
| owner /** rw, | |
| # Transitions | |
| change_profile -> docker-default, | |
| profile /sbin/iptables { | |
| capability net_admin, | |
| } | |
| profile /sbin/auplink { | |
| capability net_admin, | |
| capability net_raw, | |
| } | |
| profile /sbin/modprobe { | |
| capability sys_module, | |
| /lib/modules/*/** r, | |
| } | |
| } | |
| profile docker-default flags=(attach_disconnected,mediate_deleted,namespace_relative, audit) { | |
| #include <abstractions/base> | |
| network, | |
| file, | |
| allow capability net_raw, | |
| allow capability net_bind_service, | |
| allow capability audit_write, | |
| allow capability dac_override, | |
| allow capability setfcap, | |
| allow capability setpcap, | |
| allow capability setgid, | |
| allow capability setuid, | |
| allow capability mknod, | |
| allow capability fowner, | |
| allow capability fsetid, | |
| allow capability kill, | |
| allow capability sys_chroot, | |
| allow /var/lib/docker/** rw, | |
| allow @{PROC}/[0-9]*/** rwkl, | |
| allow @{PROC}/uptime rwkl, | |
| allow @{PROC}/cpuinfo rwkl, | |
| deny mount, | |
| deny @{PROC}/** wklx, | |
| deny @{PROC}/attr/** wklx, | |
| deny @{PROC}/fs/** wklx, | |
| deny @{PROC}/timer_stats rwklx, | |
| deny @{PROC}/latency_stats rwklx, | |
| deny @{PROC}/[0-9]*/attr/** wklx, | |
| deny @{PROC}/sys/fs/** wklx, | |
| deny @{PROC}/sysrq-trigger rwklx, | |
| deny @{PROC}/mem rwklx, | |
| deny @{PROC}/kmem rwklx, | |
| deny @{PROC}/kcore rwklx, | |
| deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, | |
| deny @{PROC}/sys/kernel/*/** wklx, | |
| deny /sys/[^f]*/** wklx, | |
| deny /sys/f[^s]*/** wklx, | |
| deny /sys/fs/[^c]*/** wklx, | |
| deny /sys/fs/c[^g]*/** wklx, | |
| deny /sys/fs/cg[^r]*/** wklx, | |
| deny /sys/firmware/efi/efivars/** rwklx, | |
| deny /sys/kernel/security/** rwklx, | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment