template.go 5.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268
  1. package main
  2. const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker
  3. profile /usr/bin/docker (attach_disconnected, complain) {
  4. # Prevent following links to these files during container setup.
  5. deny /etc/** mkl,
  6. deny /dev/** kl,
  7. deny /sys/** mkl,
  8. deny /proc/** mkl,
  9. mount -> @{DOCKER_GRAPH_PATH}/**,
  10. mount -> /,
  11. mount -> /proc/**,
  12. mount -> /sys/**,
  13. mount -> /run/docker/netns/**,
  14. mount -> /.pivot_root[0-9]*/,
  15. / r,
  16. umount,
  17. pivot_root,
  18. {{if ge .Version 209000}}
  19. signal (receive) peer=@{profile_name},
  20. signal (receive) peer=unconfined,
  21. signal (send),
  22. {{end}}
  23. network,
  24. capability,
  25. owner /** rw,
  26. @{DOCKER_GRAPH_PATH}/** rwl,
  27. @{DOCKER_GRAPH_PATH}/linkgraph.db k,
  28. @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
  29. @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
  30. @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k,
  31. # For non-root client use:
  32. /dev/urandom r,
  33. /dev/null rw,
  34. /dev/pts/[0-9]* rw,
  35. /run/docker.sock rw,
  36. /proc/** r,
  37. /proc/[0-9]*/attr/exec w,
  38. /sys/kernel/mm/hugepages/ r,
  39. /etc/localtime r,
  40. /etc/ld.so.cache r,
  41. /etc/passwd r,
  42. {{if ge .Version 209000}}
  43. ptrace peer=@{profile_name},
  44. ptrace (read) peer=docker-default,
  45. deny ptrace (trace) peer=docker-default,
  46. deny ptrace peer=/usr/bin/docker///bin/ps,
  47. {{end}}
  48. /usr/lib/** rm,
  49. /lib/** rm,
  50. /usr/bin/docker pix,
  51. /sbin/xtables-multi rCx,
  52. /sbin/iptables rCx,
  53. /sbin/modprobe rCx,
  54. /sbin/auplink rCx,
  55. /sbin/mke2fs rCx,
  56. /sbin/tune2fs rCx,
  57. /sbin/blkid rCx,
  58. /bin/kmod rCx,
  59. /usr/bin/xz rCx,
  60. /bin/ps rCx,
  61. /bin/tar rCx,
  62. /bin/cat rCx,
  63. /sbin/zfs rCx,
  64. /sbin/apparmor_parser rCx,
  65. {{if ge .Version 209000}}
  66. # Transitions
  67. change_profile -> docker-*,
  68. change_profile -> unconfined,
  69. {{end}}
  70. profile /bin/cat (complain) {
  71. /etc/ld.so.cache r,
  72. /lib/** rm,
  73. /dev/null rw,
  74. /proc r,
  75. /bin/cat mr,
  76. # For reading in 'docker stats':
  77. /proc/[0-9]*/net/dev r,
  78. }
  79. profile /bin/ps (complain) {
  80. /etc/ld.so.cache r,
  81. /etc/localtime r,
  82. /etc/passwd r,
  83. /etc/nsswitch.conf r,
  84. /lib/** rm,
  85. /proc/[0-9]*/** r,
  86. /dev/null rw,
  87. /bin/ps mr,
  88. {{if ge .Version 209000}}
  89. # We don't need ptrace so we'll deny and ignore the error.
  90. deny ptrace (read, trace),
  91. {{end}}
  92. # Quiet dac_override denials
  93. deny capability dac_override,
  94. deny capability dac_read_search,
  95. deny capability sys_ptrace,
  96. /dev/tty r,
  97. /proc/stat r,
  98. /proc/cpuinfo r,
  99. /proc/meminfo r,
  100. /proc/uptime r,
  101. /sys/devices/system/cpu/online r,
  102. /proc/sys/kernel/pid_max r,
  103. /proc/ r,
  104. /proc/tty/drivers r,
  105. }
  106. profile /sbin/iptables (complain) {
  107. {{if ge .Version 209000}}
  108. signal (receive) peer=/usr/bin/docker,
  109. {{end}}
  110. capability net_admin,
  111. }
  112. profile /sbin/auplink flags=(attach_disconnected, complain) {
  113. {{if ge .Version 209000}}
  114. signal (receive) peer=/usr/bin/docker,
  115. {{end}}
  116. capability sys_admin,
  117. capability dac_override,
  118. @{DOCKER_GRAPH_PATH}/aufs/** rw,
  119. @{DOCKER_GRAPH_PATH}/tmp/** rw,
  120. # For user namespaces:
  121. @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
  122. /sys/fs/aufs/** r,
  123. /lib/** rm,
  124. /apparmor/.null r,
  125. /dev/null rw,
  126. /etc/ld.so.cache r,
  127. /sbin/auplink rm,
  128. /proc/fs/aufs/** rw,
  129. /proc/[0-9]*/mounts rw,
  130. }
  131. profile /sbin/modprobe /bin/kmod (complain) {
  132. {{if ge .Version 209000}}
  133. signal (receive) peer=/usr/bin/docker,
  134. {{end}}
  135. capability sys_module,
  136. /etc/ld.so.cache r,
  137. /lib/** rm,
  138. /dev/null rw,
  139. /apparmor/.null rw,
  140. /sbin/modprobe rm,
  141. /bin/kmod rm,
  142. /proc/cmdline r,
  143. /sys/module/** r,
  144. /etc/modprobe.d{/,/**} r,
  145. }
  146. # xz works via pipes, so we do not need access to the filesystem.
  147. profile /usr/bin/xz (complain) {
  148. {{if ge .Version 209000}}
  149. signal (receive) peer=/usr/bin/docker,
  150. {{end}}
  151. /etc/ld.so.cache r,
  152. /lib/** rm,
  153. /usr/bin/xz rm,
  154. deny /proc/** rw,
  155. deny /sys/** rw,
  156. }
  157. profile /sbin/xtables-multi (attach_disconnected, complain) {
  158. /etc/ld.so.cache r,
  159. /lib/** rm,
  160. /sbin/xtables-multi rm,
  161. /apparmor/.null w,
  162. /dev/null rw,
  163. /proc r,
  164. capability net_raw,
  165. capability net_admin,
  166. network raw,
  167. }
  168. profile /sbin/zfs (attach_disconnected, complain) {
  169. file,
  170. capability,
  171. }
  172. profile /sbin/mke2fs (complain) {
  173. /sbin/mke2fs rm,
  174. /lib/** rm,
  175. /apparmor/.null w,
  176. /etc/ld.so.cache r,
  177. /etc/mke2fs.conf r,
  178. /etc/mtab r,
  179. /dev/dm-* rw,
  180. /dev/urandom r,
  181. /dev/null rw,
  182. /proc/swaps r,
  183. /proc/[0-9]*/mounts r,
  184. }
  185. profile /sbin/tune2fs (complain) {
  186. /sbin/tune2fs rm,
  187. /lib/** rm,
  188. /apparmor/.null w,
  189. /etc/blkid.conf r,
  190. /etc/mtab r,
  191. /etc/ld.so.cache r,
  192. /dev/null rw,
  193. /dev/.blkid.tab r,
  194. /dev/dm-* rw,
  195. /proc/swaps r,
  196. /proc/[0-9]*/mounts r,
  197. }
  198. profile /sbin/blkid (complain) {
  199. /sbin/blkid rm,
  200. /lib/** rm,
  201. /apparmor/.null w,
  202. /etc/ld.so.cache r,
  203. /etc/blkid.conf r,
  204. /dev/null rw,
  205. /dev/.blkid.tab rl,
  206. /dev/.blkid.tab* rwl,
  207. /dev/dm-* r,
  208. /sys/devices/virtual/block/** r,
  209. capability mknod,
  210. mount -> @{DOCKER_GRAPH_PATH}/**,
  211. }
  212. profile /sbin/apparmor_parser (complain) {
  213. /sbin/apparmor_parser rm,
  214. /lib/** rm,
  215. /etc/ld.so.cache r,
  216. /etc/apparmor/** r,
  217. /etc/apparmor.d/** r,
  218. /etc/apparmor.d/cache/** w,
  219. /dev/null rw,
  220. /sys/kernel/security/apparmor/** r,
  221. /sys/kernel/security/apparmor/.replace w,
  222. /proc/[0-9]*/mounts r,
  223. /proc/sys/kernel/osrelease r,
  224. /proc r,
  225. capability mac_admin,
  226. }
  227. }`