We use cookies to ensure you get the best experience on our website
Halaman utama Jelajahi Bantuan
Daftar Masuk
0ct0pu5
/
moby
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

Policy extensions for user namespaces and docker exec

A few additions to the policy when running with user namespaces enabled
and when running 'docker exec'.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Stefan Berger 9 tahun lalu
induk
18c9fe0cec
melakukan
6079d9d6a3
1 mengubah file dengan 5 tambahan dan 0 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 5 0
      contrib/apparmor/template.go

+ 5 - 0
contrib/apparmor/template.go
Tampilan Berkas 

@@ -33,14 +33,19 @@ profile /usr/bin/docker (attach_disconnected, complain) {
 
   @{DOCKER_GRAPH_PATH}/linkgraph.db k,
 
   @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
 
   @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
 
+  @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k,
 
 
   # For non-root client use:
 
   /dev/urandom r,
 
+  /dev/null rw,
 
+  /dev/pts/[0-9]* rw,
 
   /run/docker.sock rw,
 
   /proc/** r,
 
+  /proc/[0-9]*/attr/exec w,
 
   /sys/kernel/mm/hugepages/ r,
 
   /etc/localtime r,
 
   /etc/ld.so.cache r,
 
+  /etc/passwd r,
 
 
 {{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
 
   ptrace peer=@{profile_name},

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5