github.com/demonoid81/moby@v0.0.0-20200517203328-62dd8e17c460/contrib/apparmor/template.go (about) 1 package main 2 3 const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker 4 5 profile /usr/bin/docker (attach_disconnected, complain) { 6 # Prevent following links to these files during container setup. 7 deny /etc/** mkl, 8 deny /dev/** kl, 9 deny /sys/** mkl, 10 deny /proc/** mkl, 11 12 mount -> @{DOCKER_GRAPH_PATH}/**, 13 mount -> /, 14 mount -> /proc/**, 15 mount -> /sys/**, 16 mount -> /run/docker/netns/**, 17 mount -> /.pivot_root[0-9]*/, 18 19 / r, 20 21 umount, 22 pivot_root, 23 {{if ge .Version 209000}} 24 signal (receive) peer=@{profile_name}, 25 signal (receive) peer=unconfined, 26 signal (send), 27 {{end}} 28 network, 29 capability, 30 owner /** rw, 31 @{DOCKER_GRAPH_PATH}/** rwl, 32 @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k, 33 @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k, 34 # For user namespaces: 35 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/network/files/boltdb.db k, 36 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/network/files/local-kv.db k, 37 38 # For non-root client use: 39 /dev/urandom r, 40 /dev/null rw, 41 /dev/pts/[0-9]* rw, 42 /run/docker.sock rw, 43 /proc/** r, 44 /proc/[0-9]*/attr/exec w, 45 /sys/kernel/mm/hugepages/ r, 46 /etc/localtime r, 47 /etc/ld.so.cache r, 48 /etc/passwd r, 49 50 {{if ge .Version 209000}} 51 ptrace peer=@{profile_name}, 52 ptrace (read) peer=docker-default, 53 deny ptrace (trace) peer=docker-default, 54 deny ptrace peer=/usr/bin/docker///bin/ps, 55 {{end}} 56 57 /usr/lib/** rm, 58 /lib/** rm, 59 60 /usr/bin/docker pix, 61 /sbin/xtables-multi rCx, 62 /sbin/iptables rCx, 63 /sbin/modprobe rCx, 64 /sbin/auplink rCx, 65 /sbin/mke2fs rCx, 66 /sbin/tune2fs rCx, 67 /sbin/blkid rCx, 68 /bin/kmod rCx, 69 /usr/bin/xz rCx, 70 /bin/ps rCx, 71 /bin/tar rCx, 72 /bin/cat rCx, 73 /sbin/zfs rCx, 74 /sbin/apparmor_parser rCx, 75 76 {{if ge .Version 209000}} 77 # Transitions 78 change_profile -> docker-*, 79 change_profile -> unconfined, 80 {{end}} 81 82 profile /bin/cat (complain) { 83 /etc/ld.so.cache r, 84 /lib/** rm, 85 /dev/null rw, 86 /proc r, 87 /bin/cat mr, 88 89 # For reading in 'docker stats': 90 /proc/[0-9]*/net/dev r, 91 } 92 profile /bin/ps (complain) { 93 /etc/ld.so.cache r, 94 /etc/localtime r, 95 /etc/passwd r, 96 /etc/nsswitch.conf r, 97 /lib/** rm, 98 /proc/[0-9]*/** r, 99 /dev/null rw, 100 /bin/ps mr, 101 102 {{if ge .Version 209000}} 103 # We don't need ptrace so we'll deny and ignore the error. 104 deny ptrace (read, trace), 105 {{end}} 106 107 # Quiet dac_override denials 108 deny capability dac_override, 109 deny capability dac_read_search, 110 deny capability sys_ptrace, 111 112 /dev/tty r, 113 /proc/stat r, 114 /proc/cpuinfo r, 115 /proc/meminfo r, 116 /proc/uptime r, 117 /sys/devices/system/cpu/online r, 118 /proc/sys/kernel/pid_max r, 119 /proc/ r, 120 /proc/tty/drivers r, 121 } 122 profile /sbin/iptables (complain) { 123 {{if ge .Version 209000}} 124 signal (receive) peer=/usr/bin/docker, 125 {{end}} 126 capability net_admin, 127 } 128 profile /sbin/auplink flags=(attach_disconnected, complain) { 129 {{if ge .Version 209000}} 130 signal (receive) peer=/usr/bin/docker, 131 {{end}} 132 capability sys_admin, 133 capability dac_override, 134 135 @{DOCKER_GRAPH_PATH}/aufs/** rw, 136 @{DOCKER_GRAPH_PATH}/tmp/** rw, 137 # For user namespaces: 138 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, 139 140 /sys/fs/aufs/** r, 141 /lib/** rm, 142 /apparmor/.null r, 143 /dev/null rw, 144 /etc/ld.so.cache r, 145 /sbin/auplink rm, 146 /proc/fs/aufs/** rw, 147 /proc/[0-9]*/mounts rw, 148 } 149 profile /sbin/modprobe /bin/kmod (complain) { 150 {{if ge .Version 209000}} 151 signal (receive) peer=/usr/bin/docker, 152 {{end}} 153 capability sys_module, 154 /etc/ld.so.cache r, 155 /lib/** rm, 156 /dev/null rw, 157 /apparmor/.null rw, 158 /sbin/modprobe rm, 159 /bin/kmod rm, 160 /proc/cmdline r, 161 /sys/module/** r, 162 /etc/modprobe.d{/,/**} r, 163 } 164 # xz works via pipes, so we do not need access to the filesystem. 165 profile /usr/bin/xz (complain) { 166 {{if ge .Version 209000}} 167 signal (receive) peer=/usr/bin/docker, 168 {{end}} 169 /etc/ld.so.cache r, 170 /lib/** rm, 171 /usr/bin/xz rm, 172 deny /proc/** rw, 173 deny /sys/** rw, 174 } 175 profile /sbin/xtables-multi (attach_disconnected, complain) { 176 /etc/ld.so.cache r, 177 /lib/** rm, 178 /sbin/xtables-multi rm, 179 /apparmor/.null w, 180 /dev/null rw, 181 182 /proc r, 183 184 capability net_raw, 185 capability net_admin, 186 network raw, 187 } 188 profile /sbin/zfs (attach_disconnected, complain) { 189 file, 190 capability, 191 } 192 profile /sbin/mke2fs (complain) { 193 /sbin/mke2fs rm, 194 195 /lib/** rm, 196 197 /apparmor/.null w, 198 199 /etc/ld.so.cache r, 200 /etc/mke2fs.conf r, 201 /etc/mtab r, 202 203 /dev/dm-* rw, 204 /dev/urandom r, 205 /dev/null rw, 206 207 /proc/swaps r, 208 /proc/[0-9]*/mounts r, 209 } 210 profile /sbin/tune2fs (complain) { 211 /sbin/tune2fs rm, 212 213 /lib/** rm, 214 215 /apparmor/.null w, 216 217 /etc/blkid.conf r, 218 /etc/mtab r, 219 /etc/ld.so.cache r, 220 221 /dev/null rw, 222 /dev/.blkid.tab r, 223 /dev/dm-* rw, 224 225 /proc/swaps r, 226 /proc/[0-9]*/mounts r, 227 } 228 profile /sbin/blkid (complain) { 229 /sbin/blkid rm, 230 231 /lib/** rm, 232 /apparmor/.null w, 233 234 /etc/ld.so.cache r, 235 /etc/blkid.conf r, 236 237 /dev/null rw, 238 /dev/.blkid.tab rl, 239 /dev/.blkid.tab* rwl, 240 /dev/dm-* r, 241 242 /sys/devices/virtual/block/** r, 243 244 capability mknod, 245 246 mount -> @{DOCKER_GRAPH_PATH}/**, 247 } 248 profile /sbin/apparmor_parser (complain) { 249 /sbin/apparmor_parser rm, 250 251 /lib/** rm, 252 253 /etc/ld.so.cache r, 254 /etc/apparmor/** r, 255 /etc/apparmor.d/** r, 256 /etc/apparmor.d/cache/** w, 257 258 /dev/null rw, 259 260 /sys/kernel/security/apparmor/** r, 261 /sys/kernel/security/apparmor/.replace w, 262 263 /proc/[0-9]*/mounts r, 264 /proc/sys/kernel/osrelease r, 265 /proc r, 266 267 capability mac_admin, 268 } 269 }`