diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go index e6d0b6d37c..4999ca5dc6 100644 --- a/contrib/apparmor/template.go +++ b/contrib/apparmor/template.go @@ -20,11 +20,9 @@ profile /usr/bin/docker (attach_disconnected, complain) { umount, pivot_root, -{{if ge .Version 209000}} signal (receive) peer=@{profile_name}, signal (receive) peer=unconfined, signal (send), -{{end}} network, capability, owner /** rw, @@ -47,12 +45,10 @@ profile /usr/bin/docker (attach_disconnected, complain) { /etc/ld.so.cache r, /etc/passwd r, -{{if ge .Version 209000}} ptrace peer=@{profile_name}, ptrace (read) peer=docker-default, deny ptrace (trace) peer=docker-default, deny ptrace peer=/usr/bin/docker///bin/ps, -{{end}} /usr/lib/** rm, /lib/** rm, @@ -73,11 +69,9 @@ profile /usr/bin/docker (attach_disconnected, complain) { /sbin/zfs rCx, /sbin/apparmor_parser rCx, -{{if ge .Version 209000}} # Transitions change_profile -> docker-*, change_profile -> unconfined, -{{end}} profile /bin/cat (complain) { /etc/ld.so.cache r, @@ -99,10 +93,8 @@ profile /usr/bin/docker (attach_disconnected, complain) { /dev/null rw, /bin/ps mr, -{{if ge .Version 209000}} # We don't need ptrace so we'll deny and ignore the error. deny ptrace (read, trace), -{{end}} # Quiet dac_override denials deny capability dac_override, @@ -120,15 +112,11 @@ profile /usr/bin/docker (attach_disconnected, complain) { /proc/tty/drivers r, } profile /sbin/iptables (complain) { -{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, -{{end}} capability net_admin, } profile /sbin/auplink flags=(attach_disconnected, complain) { -{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, -{{end}} capability sys_admin, capability dac_override, @@ -147,9 +135,7 @@ profile /usr/bin/docker (attach_disconnected, complain) { /proc/[0-9]*/mounts rw, } profile /sbin/modprobe /bin/kmod (complain) { -{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, -{{end}} capability sys_module, /etc/ld.so.cache r, /lib/** rm,