github.com/campoy/docker@v1.8.0-rc1/contrib/apparmor/docker-engine (about) 1 @{DOCKER_GRAPH_PATH}=/var/lib/docker 2 3 profile /usr/bin/docker (attach_disconnected) { 4 # Prevent following links to these files during container setup. 5 deny /etc/** mkl, 6 deny /dev/** kl, 7 deny /sys/** mkl, 8 deny /proc/** mkl, 9 10 mount -> @{DOCKER_GRAPH_PATH}/**, 11 mount -> /, 12 mount -> /proc/**, 13 mount -> /sys/**, 14 mount -> /run/docker/netns/**, 15 16 umount, 17 pivot_root, 18 signal (receive) peer=@{profile_name}, 19 signal (receive) peer=unconfined, 20 signal (send), 21 ipc rw, 22 network, 23 capability, 24 file, 25 26 ptrace peer=@{profile_name}, 27 28 /usr/bin/docker pix, 29 /sbin/xtables-multi rCix, 30 /sbin/iptables rCx, 31 /sbin/modprobe rCx, 32 /sbin/auplink rCx, 33 /usr/bin/xz rCx, 34 35 # Transitions 36 change_profile -> docker-*, 37 change_profile -> unconfined, 38 39 profile /sbin/iptables { 40 signal (receive) peer=/usr/bin/docker, 41 capability net_admin, 42 } 43 profile /sbin/auplink flags=(attach_disconnected) { 44 signal (receive) peer=/usr/bin/docker, 45 capability sys_admin, 46 capability dac_override, 47 48 @{DOCKER_GRAPH_PATH}/aufs/** rw, 49 # For user namespaces: 50 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, 51 52 # The following may be removed via delegates 53 /sys/fs/aufs/** r, 54 /lib/** r, 55 /apparmor/.null r, 56 /dev/null rw, 57 /etc/ld.so.cache r, 58 /sbin/auplink rm, 59 /proc/fs/aufs/** rw, 60 /proc/[0-9]*/mounts rw, 61 } 62 profile /sbin/modprobe { 63 signal (receive) peer=/usr/bin/docker, 64 capability sys_module, 65 file, 66 } 67 # xz works via pipes, so we do not need access to the filesystem. 68 profile /usr/bin/xz { 69 signal (receive) peer=/usr/bin/docker, 70 } 71 }