Merge pull request #14864 from ewindisch/apparmor-engine-policy
Add AppArmor policy for the docker binary
This commit is contained in:
Jessie Frazelle
commit
a7d8450312
3 changed files with 74 additions and 0 deletions
71
contrib/apparmor/docker-engine
Normal file
71
contrib/apparmor/docker-engine
Normal file
|
|
@ -0,0 +1,71 @@
|
|||
@{DOCKER_GRAPH_PATH}=/var/lib/docker
|
||||
|
||||
profile /usr/bin/docker (attach_disconnected) {
|
||||
# Prevent following links to these files during container setup.
|
||||
deny /etc/** mkl,
|
||||
deny /dev/** kl,
|
||||
deny /sys/** mkl,
|
||||
deny /proc/** mkl,
|
||||
|
||||
mount -> @{DOCKER_GRAPH_PATH}/**,
|
||||
mount -> /,
|
||||
mount -> /proc/**,
|
||||
mount -> /sys/**,
|
||||
mount -> /run/docker/netns/**,
|
||||
|
||||
umount,
|
||||
pivot_root,
|
||||
signal (receive) peer=@{profile_name},
|
||||
signal (receive) peer=unconfined,
|
||||
signal (send),
|
||||
ipc rw,
|
||||
network,
|
||||
capability,
|
||||
file,
|
||||
|
||||
ptrace peer=@{profile_name},
|
||||
|
||||
/usr/bin/docker pix,
|
||||
/sbin/xtables-multi rCix,
|
||||
/sbin/iptables rCx,
|
||||
/sbin/modprobe rCx,
|
||||
/sbin/auplink rCx,
|
||||
/usr/bin/xz rCx,
|
||||
|
||||
# Transitions
|
||||
change_profile -> docker-*,
|
||||
change_profile -> unconfined,
|
||||
|
||||
profile /sbin/iptables {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability net_admin,
|
||||
}
|
||||
profile /sbin/auplink flags=(attach_disconnected) {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability sys_admin,
|
||||
capability dac_override,
|
||||
|
||||
@{DOCKER_GRAPH_PATH}/aufs/** rw,
|
||||
# For user namespaces:
|
||||
@{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
|
||||
|
||||
# The following may be removed via delegates
|
||||
/sys/fs/aufs/** r,
|
||||
/lib/** r,
|
||||
/apparmor/.null r,
|
||||
/dev/null rw,
|
||||
/etc/ld.so.cache r,
|
||||
/sbin/auplink rm,
|
||||
/proc/fs/aufs/** rw,
|
||||
/proc/[0-9]*/mounts rw,
|
||||
}
|
||||
profile /sbin/modprobe {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability sys_module,
|
||||
file,
|
||||
}
|
||||
# xz works via pipes, so we do not need access to the filesystem.
|
||||
profile /usr/bin/xz {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
}
|
||||
}
|
||||
|
|
@ -34,6 +34,7 @@ override_dh_installudev:
|
|||
|
||||
override_dh_install:
|
||||
dh_apparmor --profile-name=docker -pdocker-engine
|
||||
dh_apparmor --profile-name=docker-engine -pdocker-engine
|
||||
|
||||
%:
|
||||
dh $@ --with=bash-completion $(shell command -v dh_systemd_enable > /dev/null 2>&1 && echo --with=systemd)
|
||||
|
|
|
|||
|
|
@ -75,6 +75,7 @@ bundle_ubuntu() {
|
|||
# Include contributed apparmor policy
|
||||
mkdir -p "$DIR/etc/apparmor.d/"
|
||||
cp contrib/apparmor/docker "$DIR/etc/apparmor.d/"
|
||||
cp contrib/apparmor/docker-engine "$DIR/etc/apparmor.d/"
|
||||
|
||||
# Copy the binary
|
||||
# This will fail if the binary bundle hasn't been built
|
||||
|
|
@ -95,6 +96,7 @@ fi
|
|||
|
||||
if ( aa-status --enabled ); then
|
||||
/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker
|
||||
/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker-engine
|
||||
fi
|
||||
|
||||
if ! { [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; }; then
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue