|
|
@@ -2,6 +2,12 @@
|
|
|
|
|
|
package apparmor // import "github.com/docker/docker/profiles/apparmor"
|
|
|
|
|
|
+// NOTE: This profile is replicated in containerd and libpod. If you make a
|
|
|
+// change to this profile, please make follow-up PRs to those projects so
|
|
|
+// that these rules can be synchronised (because any issue with this
|
|
|
+// profile will likely affect libpod and containerd).
|
|
|
+// TODO: Move this to a common project so we can maintain it in one spot.
|
|
|
+
|
|
|
// baseTemplate defines the default apparmor profile for containers.
|
|
|
const baseTemplate = `
|
|
|
{{range $value := .Imports}}
|
|
|
@@ -18,9 +24,11 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
|
|
file,
|
|
|
umount,
|
|
|
{{if ge .Version 208096}}
|
|
|
-{{/* Allow 'docker kill' to actually send signals to container processes. */}}
|
|
|
+ # Host (privileged) processes may send signals to container processes.
|
|
|
+ signal (receive) peer=unconfined,
|
|
|
+ # dockerd may send signals to container processes (for "docker kill").
|
|
|
signal (receive) peer={{.DaemonProfile}},
|
|
|
-{{/* Allow container processes to send signals amongst themselves. */}}
|
|
|
+ # Container processes may send signals amongst themselves.
|
|
|
signal (send,receive) peer={{.Name}},
|
|
|
{{end}}
|
|
|
|
Justin Cormack