github.com/moby/docker@v26.1.3+incompatible/contrib/apparmor/template.go (about) 1 package main 2 3 const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker 4 5 profile /usr/bin/docker (attach_disconnected, complain) { 6 # Prevent following links to these files during container setup. 7 deny /etc/** mkl, 8 deny /dev/** kl, 9 deny /sys/** mkl, 10 deny /proc/** mkl, 11 12 mount -> @{DOCKER_GRAPH_PATH}/**, 13 mount -> /, 14 mount -> /proc/**, 15 mount -> /sys/**, 16 mount -> /run/docker/netns/**, 17 mount -> /.pivot_root[0-9]*/, 18 19 / r, 20 21 umount, 22 pivot_root, 23 signal (receive) peer=@{profile_name}, 24 signal (receive) peer=unconfined, 25 signal (send), 26 network, 27 capability, 28 owner /** rw, 29 @{DOCKER_GRAPH_PATH}/** rwl, 30 @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k, 31 @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k, 32 # For user namespaces: 33 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/network/files/boltdb.db k, 34 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/network/files/local-kv.db k, 35 36 # For non-root client use: 37 /dev/urandom r, 38 /dev/null rw, 39 /dev/pts/[0-9]* rw, 40 /run/docker.sock rw, 41 /proc/** r, 42 /proc/[0-9]*/attr/exec w, 43 /sys/kernel/mm/hugepages/ r, 44 /etc/localtime r, 45 /etc/ld.so.cache r, 46 /etc/passwd r, 47 48 ptrace peer=@{profile_name}, 49 ptrace (read) peer=docker-default, 50 deny ptrace (trace) peer=docker-default, 51 deny ptrace peer=/usr/bin/docker///bin/ps, 52 53 /usr/lib/** rm, 54 /lib/** rm, 55 56 /usr/bin/docker pix, 57 /sbin/xtables-multi rCx, 58 /sbin/iptables rCx, 59 /sbin/modprobe rCx, 60 /sbin/auplink rCx, 61 /sbin/mke2fs rCx, 62 /sbin/tune2fs rCx, 63 /sbin/blkid rCx, 64 /bin/kmod rCx, 65 /usr/bin/xz rCx, 66 /bin/ps rCx, 67 /bin/tar rCx, 68 /bin/cat rCx, 69 /sbin/zfs rCx, 70 /sbin/apparmor_parser rCx, 71 72 # Transitions 73 change_profile -> docker-*, 74 change_profile -> unconfined, 75 76 profile /bin/cat (complain) { 77 /etc/ld.so.cache r, 78 /lib/** rm, 79 /dev/null rw, 80 /proc r, 81 /bin/cat mr, 82 83 # For reading in 'docker stats': 84 /proc/[0-9]*/net/dev r, 85 } 86 profile /bin/ps (complain) { 87 /etc/ld.so.cache r, 88 /etc/localtime r, 89 /etc/passwd r, 90 /etc/nsswitch.conf r, 91 /lib/** rm, 92 /proc/[0-9]*/** r, 93 /dev/null rw, 94 /bin/ps mr, 95 96 # We don't need ptrace so we'll deny and ignore the error. 97 deny ptrace (read, trace), 98 99 # Quiet dac_override denials 100 deny capability dac_override, 101 deny capability dac_read_search, 102 deny capability sys_ptrace, 103 104 /dev/tty r, 105 /proc/stat r, 106 /proc/cpuinfo r, 107 /proc/meminfo r, 108 /proc/uptime r, 109 /sys/devices/system/cpu/online r, 110 /proc/sys/kernel/pid_max r, 111 /proc/ r, 112 /proc/tty/drivers r, 113 } 114 profile /sbin/iptables (complain) { 115 signal (receive) peer=/usr/bin/docker, 116 capability net_admin, 117 } 118 profile /sbin/auplink flags=(attach_disconnected, complain) { 119 signal (receive) peer=/usr/bin/docker, 120 capability sys_admin, 121 capability dac_override, 122 123 @{DOCKER_GRAPH_PATH}/aufs/** rw, 124 @{DOCKER_GRAPH_PATH}/tmp/** rw, 125 # For user namespaces: 126 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, 127 128 /sys/fs/aufs/** r, 129 /lib/** rm, 130 /apparmor/.null r, 131 /dev/null rw, 132 /etc/ld.so.cache r, 133 /sbin/auplink rm, 134 /proc/fs/aufs/** rw, 135 /proc/[0-9]*/mounts rw, 136 } 137 profile /sbin/modprobe /bin/kmod (complain) { 138 signal (receive) peer=/usr/bin/docker, 139 capability sys_module, 140 /etc/ld.so.cache r, 141 /lib/** rm, 142 /dev/null rw, 143 /apparmor/.null rw, 144 /sbin/modprobe rm, 145 /bin/kmod rm, 146 /proc/cmdline r, 147 /sys/module/** r, 148 /etc/modprobe.d{/,/**} r, 149 } 150 # xz works via pipes, so we do not need access to the filesystem. 151 profile /usr/bin/xz (complain) { 152 signal (receive) peer=/usr/bin/docker, 153 /etc/ld.so.cache r, 154 /lib/** rm, 155 /usr/bin/xz rm, 156 deny /proc/** rw, 157 deny /sys/** rw, 158 } 159 profile /sbin/xtables-multi (attach_disconnected, complain) { 160 /etc/ld.so.cache r, 161 /lib/** rm, 162 /sbin/xtables-multi rm, 163 /apparmor/.null w, 164 /dev/null rw, 165 166 /proc r, 167 168 capability net_raw, 169 capability net_admin, 170 network raw, 171 } 172 profile /sbin/zfs (attach_disconnected, complain) { 173 file, 174 capability, 175 } 176 profile /sbin/mke2fs (complain) { 177 /sbin/mke2fs rm, 178 179 /lib/** rm, 180 181 /apparmor/.null w, 182 183 /etc/ld.so.cache r, 184 /etc/mke2fs.conf r, 185 /etc/mtab r, 186 187 /dev/dm-* rw, 188 /dev/urandom r, 189 /dev/null rw, 190 191 /proc/swaps r, 192 /proc/[0-9]*/mounts r, 193 } 194 profile /sbin/tune2fs (complain) { 195 /sbin/tune2fs rm, 196 197 /lib/** rm, 198 199 /apparmor/.null w, 200 201 /etc/blkid.conf r, 202 /etc/mtab r, 203 /etc/ld.so.cache r, 204 205 /dev/null rw, 206 /dev/.blkid.tab r, 207 /dev/dm-* rw, 208 209 /proc/swaps r, 210 /proc/[0-9]*/mounts r, 211 } 212 profile /sbin/blkid (complain) { 213 /sbin/blkid rm, 214 215 /lib/** rm, 216 /apparmor/.null w, 217 218 /etc/ld.so.cache r, 219 /etc/blkid.conf r, 220 221 /dev/null rw, 222 /dev/.blkid.tab rl, 223 /dev/.blkid.tab* rwl, 224 /dev/dm-* r, 225 226 /sys/devices/virtual/block/** r, 227 228 capability mknod, 229 230 mount -> @{DOCKER_GRAPH_PATH}/**, 231 } 232 profile /sbin/apparmor_parser (complain) { 233 /sbin/apparmor_parser rm, 234 235 /lib/** rm, 236 237 /etc/ld.so.cache r, 238 /etc/apparmor/** r, 239 /etc/apparmor.d/** r, 240 /etc/apparmor.d/cache/** w, 241 242 /dev/null rw, 243 244 /sys/kernel/security/apparmor/** r, 245 /sys/kernel/security/apparmor/.replace w, 246 247 /proc/[0-9]*/mounts r, 248 /proc/sys/kernel/osrelease r, 249 /proc r, 250 251 capability mac_admin, 252 } 253 }`