123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268 |
- package main
- const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker
- profile /usr/bin/docker (attach_disconnected, complain) {
- # Prevent following links to these files during container setup.
- deny /etc/** mkl,
- deny /dev/** kl,
- deny /sys/** mkl,
- deny /proc/** mkl,
- mount -> @{DOCKER_GRAPH_PATH}/**,
- mount -> /,
- mount -> /proc/**,
- mount -> /sys/**,
- mount -> /run/docker/netns/**,
- mount -> /.pivot_root[0-9]*/,
- / r,
- umount,
- pivot_root,
- {{if ge .Version 209000}}
- signal (receive) peer=@{profile_name},
- signal (receive) peer=unconfined,
- signal (send),
- {{end}}
- network,
- capability,
- owner /** rw,
- @{DOCKER_GRAPH_PATH}/** rwl,
- @{DOCKER_GRAPH_PATH}/linkgraph.db k,
- @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
- @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
- @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k,
- # For non-root client use:
- /dev/urandom r,
- /dev/null rw,
- /dev/pts/[0-9]* rw,
- /run/docker.sock rw,
- /proc/** r,
- /proc/[0-9]*/attr/exec w,
- /sys/kernel/mm/hugepages/ r,
- /etc/localtime r,
- /etc/ld.so.cache r,
- /etc/passwd r,
- {{if ge .Version 209000}}
- ptrace peer=@{profile_name},
- ptrace (read) peer=docker-default,
- deny ptrace (trace) peer=docker-default,
- deny ptrace peer=/usr/bin/docker///bin/ps,
- {{end}}
- /usr/lib/** rm,
- /lib/** rm,
- /usr/bin/docker pix,
- /sbin/xtables-multi rCx,
- /sbin/iptables rCx,
- /sbin/modprobe rCx,
- /sbin/auplink rCx,
- /sbin/mke2fs rCx,
- /sbin/tune2fs rCx,
- /sbin/blkid rCx,
- /bin/kmod rCx,
- /usr/bin/xz rCx,
- /bin/ps rCx,
- /bin/tar rCx,
- /bin/cat rCx,
- /sbin/zfs rCx,
- /sbin/apparmor_parser rCx,
- {{if ge .Version 209000}}
- # Transitions
- change_profile -> docker-*,
- change_profile -> unconfined,
- {{end}}
- profile /bin/cat (complain) {
- /etc/ld.so.cache r,
- /lib/** rm,
- /dev/null rw,
- /proc r,
- /bin/cat mr,
- # For reading in 'docker stats':
- /proc/[0-9]*/net/dev r,
- }
- profile /bin/ps (complain) {
- /etc/ld.so.cache r,
- /etc/localtime r,
- /etc/passwd r,
- /etc/nsswitch.conf r,
- /lib/** rm,
- /proc/[0-9]*/** r,
- /dev/null rw,
- /bin/ps mr,
- {{if ge .Version 209000}}
- # We don't need ptrace so we'll deny and ignore the error.
- deny ptrace (read, trace),
- {{end}}
- # Quiet dac_override denials
- deny capability dac_override,
- deny capability dac_read_search,
- deny capability sys_ptrace,
- /dev/tty r,
- /proc/stat r,
- /proc/cpuinfo r,
- /proc/meminfo r,
- /proc/uptime r,
- /sys/devices/system/cpu/online r,
- /proc/sys/kernel/pid_max r,
- /proc/ r,
- /proc/tty/drivers r,
- }
- profile /sbin/iptables (complain) {
- {{if ge .Version 209000}}
- signal (receive) peer=/usr/bin/docker,
- {{end}}
- capability net_admin,
- }
- profile /sbin/auplink flags=(attach_disconnected, complain) {
- {{if ge .Version 209000}}
- signal (receive) peer=/usr/bin/docker,
- {{end}}
- capability sys_admin,
- capability dac_override,
- @{DOCKER_GRAPH_PATH}/aufs/** rw,
- @{DOCKER_GRAPH_PATH}/tmp/** rw,
- # For user namespaces:
- @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
- /sys/fs/aufs/** r,
- /lib/** rm,
- /apparmor/.null r,
- /dev/null rw,
- /etc/ld.so.cache r,
- /sbin/auplink rm,
- /proc/fs/aufs/** rw,
- /proc/[0-9]*/mounts rw,
- }
- profile /sbin/modprobe /bin/kmod (complain) {
- {{if ge .Version 209000}}
- signal (receive) peer=/usr/bin/docker,
- {{end}}
- capability sys_module,
- /etc/ld.so.cache r,
- /lib/** rm,
- /dev/null rw,
- /apparmor/.null rw,
- /sbin/modprobe rm,
- /bin/kmod rm,
- /proc/cmdline r,
- /sys/module/** r,
- /etc/modprobe.d{/,/**} r,
- }
- # xz works via pipes, so we do not need access to the filesystem.
- profile /usr/bin/xz (complain) {
- {{if ge .Version 209000}}
- signal (receive) peer=/usr/bin/docker,
- {{end}}
- /etc/ld.so.cache r,
- /lib/** rm,
- /usr/bin/xz rm,
- deny /proc/** rw,
- deny /sys/** rw,
- }
- profile /sbin/xtables-multi (attach_disconnected, complain) {
- /etc/ld.so.cache r,
- /lib/** rm,
- /sbin/xtables-multi rm,
- /apparmor/.null w,
- /dev/null rw,
- /proc r,
- capability net_raw,
- capability net_admin,
- network raw,
- }
- profile /sbin/zfs (attach_disconnected, complain) {
- file,
- capability,
- }
- profile /sbin/mke2fs (complain) {
- /sbin/mke2fs rm,
- /lib/** rm,
- /apparmor/.null w,
- /etc/ld.so.cache r,
- /etc/mke2fs.conf r,
- /etc/mtab r,
- /dev/dm-* rw,
- /dev/urandom r,
- /dev/null rw,
- /proc/swaps r,
- /proc/[0-9]*/mounts r,
- }
- profile /sbin/tune2fs (complain) {
- /sbin/tune2fs rm,
- /lib/** rm,
- /apparmor/.null w,
- /etc/blkid.conf r,
- /etc/mtab r,
- /etc/ld.so.cache r,
- /dev/null rw,
- /dev/.blkid.tab r,
- /dev/dm-* rw,
- /proc/swaps r,
- /proc/[0-9]*/mounts r,
- }
- profile /sbin/blkid (complain) {
- /sbin/blkid rm,
- /lib/** rm,
- /apparmor/.null w,
- /etc/ld.so.cache r,
- /etc/blkid.conf r,
- /dev/null rw,
- /dev/.blkid.tab rl,
- /dev/.blkid.tab* rwl,
- /dev/dm-* r,
- /sys/devices/virtual/block/** r,
- capability mknod,
- mount -> @{DOCKER_GRAPH_PATH}/**,
- }
- profile /sbin/apparmor_parser (complain) {
- /sbin/apparmor_parser rm,
- /lib/** rm,
- /etc/ld.so.cache r,
- /etc/apparmor/** r,
- /etc/apparmor.d/** r,
- /etc/apparmor.d/cache/** w,
- /dev/null rw,
- /sys/kernel/security/apparmor/** r,
- /sys/kernel/security/apparmor/.replace w,
- /proc/[0-9]*/mounts r,
- /proc/sys/kernel/osrelease r,
- /proc r,
- capability mac_admin,
- }
- }`
|