github.com/gondor/docker@v1.9.0-rc1/contrib/apparmor/docker-engine (about) 1 @{DOCKER_GRAPH_PATH}=/var/lib/docker 2 3 profile /usr/bin/docker (attach_disconnected, complain) { 4 # Prevent following links to these files during container setup. 5 deny /etc/** mkl, 6 deny /dev/** kl, 7 deny /sys/** mkl, 8 deny /proc/** mkl, 9 10 mount -> @{DOCKER_GRAPH_PATH}/**, 11 mount -> /, 12 mount -> /proc/**, 13 mount -> /sys/**, 14 mount -> /run/docker/netns/**, 15 16 umount, 17 pivot_root, 18 signal (receive) peer=@{profile_name}, 19 signal (receive) peer=unconfined, 20 signal (send), 21 ipc rw, 22 network, 23 capability, 24 owner /** rw, 25 @{DOCKER_GRAPH_PATH}/** rwl, 26 @{DOCKER_GRAPH_PATH}/linkgraph.db k, 27 @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k, 28 29 # For non-root client use: 30 /dev/urandom r, 31 /run/docker.sock rw, 32 /proc/** r, 33 /sys/kernel/mm/hugepages/ r, 34 /etc/localtime r, 35 /etc/ld.so.cache r, 36 37 ptrace peer=@{profile_name}, 38 ptrace (read) peer=docker-default, 39 deny ptrace (trace) peer=docker-default, 40 deny ptrace peer=/usr/bin/docker///bin/ps, 41 42 /usr/lib/** rm, 43 /lib/** rm, 44 45 /usr/bin/docker pix, 46 /sbin/xtables-multi rCx, 47 /sbin/iptables rCx, 48 /sbin/modprobe rCx, 49 /sbin/auplink rCx, 50 /sbin/mke2fs rCx, 51 /sbin/tune2fs rCx, 52 /sbin/blkid rCx, 53 /bin/kmod rCx, 54 /usr/bin/xz rCx, 55 /bin/ps rCx, 56 /bin/cat rCx, 57 /sbin/zfs rCx, 58 /sbin/apparmor_parser rCx, 59 60 # Transitions 61 change_profile -> docker-*, 62 change_profile -> unconfined, 63 64 profile /bin/cat (complain) { 65 /etc/ld.so.cache r, 66 /lib/** rm, 67 /dev/null rw, 68 /proc r, 69 /bin/cat mr, 70 71 # For reading in 'docker stats': 72 /proc/[0-9]*/net/dev r, 73 } 74 profile /bin/ps (complain) { 75 /etc/ld.so.cache r, 76 /etc/localtime r, 77 /etc/passwd r, 78 /etc/nsswitch.conf r, 79 /lib/** rm, 80 /proc/[0-9]*/** r, 81 /dev/null rw, 82 /bin/ps mr, 83 84 # We don't need ptrace so we'll deny and ignore the error. 85 deny ptrace (read, trace), 86 87 # Quiet dac_override denials 88 deny capability dac_override, 89 deny capability dac_read_search, 90 deny capability sys_ptrace, 91 92 /dev/tty r, 93 /proc/stat r, 94 /proc/cpuinfo r, 95 /proc/meminfo r, 96 /proc/uptime r, 97 /sys/devices/system/cpu/online r, 98 /proc/sys/kernel/pid_max r, 99 /proc/ r, 100 /proc/tty/drivers r, 101 } 102 profile /sbin/iptables (complain) { 103 signal (receive) peer=/usr/bin/docker, 104 capability net_admin, 105 } 106 profile /sbin/auplink flags=(attach_disconnected, complain) { 107 signal (receive) peer=/usr/bin/docker, 108 capability sys_admin, 109 capability dac_override, 110 111 @{DOCKER_GRAPH_PATH}/aufs/** rw, 112 @{DOCKER_GRAPH_PATH}/tmp/** rw, 113 # For user namespaces: 114 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, 115 116 /sys/fs/aufs/** r, 117 /lib/** rm, 118 /apparmor/.null r, 119 /dev/null rw, 120 /etc/ld.so.cache r, 121 /sbin/auplink rm, 122 /proc/fs/aufs/** rw, 123 /proc/[0-9]*/mounts rw, 124 } 125 profile /sbin/modprobe /bin/kmod (complain) { 126 signal (receive) peer=/usr/bin/docker, 127 capability sys_module, 128 /etc/ld.so.cache r, 129 /lib/** rm, 130 /dev/null rw, 131 /apparmor/.null rw, 132 /sbin/modprobe rm, 133 /bin/kmod rm, 134 /proc/cmdline r, 135 /sys/module/** r, 136 /etc/modprobe.d{/,/**} r, 137 } 138 # xz works via pipes, so we do not need access to the filesystem. 139 profile /usr/bin/xz (complain) { 140 signal (receive) peer=/usr/bin/docker, 141 /etc/ld.so.cache r, 142 /lib/** rm, 143 /usr/bin/xz rm, 144 deny /proc/** rw, 145 deny /sys/** rw, 146 } 147 profile /sbin/xtables-multi (attach_disconnected, complain) { 148 /etc/ld.so.cache r, 149 /lib/** rm, 150 /sbin/xtables-multi rm, 151 /apparmor/.null w, 152 /dev/null rw, 153 154 /proc r, 155 156 capability net_raw, 157 capability net_admin, 158 network raw, 159 } 160 profile /sbin/zfs (attach_disconnected, complain) { 161 file, 162 capability, 163 } 164 profile /sbin/mke2fs (complain) { 165 /sbin/mke2fs rm, 166 167 /lib/** rm, 168 169 /apparmor/.null w, 170 171 /etc/ld.so.cache r, 172 /etc/mke2fs.conf r, 173 /etc/mtab r, 174 175 /dev/dm-* rw, 176 /dev/urandom r, 177 /dev/null rw, 178 179 /proc/swaps r, 180 /proc/[0-9]*/mounts r, 181 } 182 profile /sbin/tune2fs (complain) { 183 /sbin/tune2fs rm, 184 185 /lib/** rm, 186 187 /apparmor/.null w, 188 189 /etc/blkid.conf r, 190 /etc/mtab r, 191 /etc/ld.so.cache r, 192 193 /dev/null rw, 194 /dev/.blkid.tab r, 195 /dev/dm-* rw, 196 197 /proc/swaps r, 198 /proc/[0-9]*/mounts r, 199 } 200 profile /sbin/blkid (complain) { 201 /sbin/blkid rm, 202 203 /lib/** rm, 204 /apparmor/.null w, 205 206 /etc/ld.so.cache r, 207 /etc/blkid.conf r, 208 209 /dev/null rw, 210 /dev/.blkid.tab rl, 211 /dev/.blkid.tab* rwl, 212 /dev/dm-* r, 213 214 /sys/devices/virtual/block/** r, 215 216 capability mknod, 217 218 mount -> @{DOCKER_GRAPH_PATH}/**, 219 } 220 profile /sbin/apparmor_parser (complain) { 221 /sbin/apparmor_parser rm, 222 223 /lib/** rm, 224 225 /etc/ld.so.cache r, 226 /etc/apparmor/** r, 227 /etc/apparmor.d/** r, 228 /etc/apparmor.d/cache/** w, 229 230 /dev/null rw, 231 232 /sys/kernel/security/apparmor/** r, 233 /sys/kernel/security/apparmor/.replace w, 234 235 /proc/[0-9]*/mounts r, 236 /proc/sys/kernel/osrelease r, 237 /proc r, 238 239 capability mac_admin, 240 } 241 }