We use cookies to ensure you get the best experience on our website
Inicio Explorar Axuda
Rexistro Iniciar sesión
0ct0pu5
/
moby
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

Merge pull request #14855 from ewindisch/apparmor-unconfined

Introduce a dedicated unconfined AA policy
David Calavera %!s(int64=10) %!d(string=hai) anos
pai
e5d8fb9658 87376c3add
achega
ac9fc03c74
Modificáronse 2 ficheiros con 13 adicións e 1 borrados
Unificar vista Mostrar estatísticas de Diff
  1. 12 0
      contrib/apparmor/docker
  2. 1 1
      daemon/execdriver/native/create.go

+ 12 - 0
contrib/apparmor/docker
Ver ficheiro 

@@ -23,3 +23,15 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
 
   deny /sys/firmware/efi/efivars/** rwklx,
 
   deny /sys/firmware/efi/efivars/** rwklx,
 
   deny /sys/kernel/security/** rwklx,
 
   deny /sys/kernel/security/** rwklx,
 
 }
 
 }
 
+
 
+profile docker-unconfined flags=(attach_disconnected,mediate_deleted) {
 
+  #include <abstractions/base>
 
+
 
+  network,
 
+  capability,
 
+  file,
 
+  umount,
 
+  mount,
 
+  pivot_root,
 
+  change_profile -> *,
 
+}

+ 1 - 1
daemon/execdriver/native/create.go
Ver ficheiro 

@@ -198,7 +198,7 @@ func (d *driver) setPrivileged(container *configs.Config) (err error) {
 
 	container.Devices = hostDevices
 
 	container.Devices = hostDevices
 
 
 
 	if apparmor.IsEnabled() {
 
 	if apparmor.IsEnabled() {
 
-		container.AppArmorProfile = "unconfined"
 
+		container.AppArmorProfile = "docker-unconfined"
 
 	}
 
 	}
 
 
 
 	return nil
 
 	return nil

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5