github.com/mssola/docker@v1.8.1/contrib/apparmor/docker-engine (about) 1 @{DOCKER_GRAPH_PATH}=/var/lib/docker 2 3 profile /usr/bin/docker (attach_disconnected, complain) { 4 # Prevent following links to these files during container setup. 5 deny /etc/** mkl, 6 deny /dev/** kl, 7 deny /sys/** mkl, 8 deny /proc/** mkl, 9 10 mount -> @{DOCKER_GRAPH_PATH}/**, 11 mount -> /, 12 mount -> /proc/**, 13 mount -> /sys/**, 14 mount -> /run/docker/netns/**, 15 16 umount, 17 pivot_root, 18 signal (receive) peer=@{profile_name}, 19 signal (receive) peer=unconfined, 20 signal (send), 21 ipc rw, 22 network, 23 capability, 24 owner /** rw, 25 /var/lib/docker/** rwl, 26 27 # For non-root client use: 28 /dev/urandom r, 29 /run/docker.sock rw, 30 /proc/** r, 31 /sys/kernel/mm/hugepages/ r, 32 /etc/localtime r, 33 34 ptrace peer=@{profile_name}, 35 ptrace (read) peer=docker-default, 36 deny ptrace (trace) peer=docker-default, 37 deny ptrace peer=/usr/bin/docker///bin/ps, 38 39 /usr/bin/docker pix, 40 /sbin/xtables-multi rCx, 41 /sbin/iptables rCx, 42 /sbin/modprobe rCx, 43 /sbin/auplink rCx, 44 /bin/kmod rCx, 45 /usr/bin/xz rCx, 46 /bin/ps rCx, 47 /bin/cat rCx, 48 /sbin/zfs rCx, 49 50 # Transitions 51 change_profile -> docker-*, 52 change_profile -> unconfined, 53 54 profile /bin/cat (complain) { 55 /etc/ld.so.cache r, 56 /lib/** r, 57 /dev/null rw, 58 /proc r, 59 /bin/cat mr, 60 61 # For reading in 'docker stats': 62 /proc/[0-9]*/net/dev r, 63 } 64 profile /bin/ps (complain) { 65 /etc/ld.so.cache r, 66 /etc/localtime r, 67 /etc/passwd r, 68 /etc/nsswitch.conf r, 69 /lib/** r, 70 /proc/[0-9]*/** r, 71 /dev/null rw, 72 /bin/ps mr, 73 74 # We don't need ptrace so we'll deny and ignore the error. 75 deny ptrace (read, trace), 76 77 # Quiet dac_override denials 78 deny capability dac_override, 79 deny capability dac_read_search, 80 deny capability sys_ptrace, 81 82 /dev/tty r, 83 /proc/stat r, 84 /proc/cpuinfo r, 85 /proc/meminfo r, 86 /proc/uptime r, 87 /sys/devices/system/cpu/online r, 88 /proc/sys/kernel/pid_max r, 89 /proc/ r, 90 /proc/tty/drivers r, 91 } 92 profile /sbin/iptables (complain) { 93 signal (receive) peer=/usr/bin/docker, 94 capability net_admin, 95 } 96 profile /sbin/auplink flags=(attach_disconnected, complain) { 97 signal (receive) peer=/usr/bin/docker, 98 capability sys_admin, 99 capability dac_override, 100 101 @{DOCKER_GRAPH_PATH}/aufs/** rw, 102 @{DOCKER_GRAPH_PATH}/tmp/** rw, 103 # For user namespaces: 104 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, 105 106 /sys/fs/aufs/** r, 107 /lib/** r, 108 /apparmor/.null r, 109 /dev/null rw, 110 /etc/ld.so.cache r, 111 /sbin/auplink rm, 112 /proc/fs/aufs/** rw, 113 /proc/[0-9]*/mounts rw, 114 } 115 profile /sbin/modprobe /bin/kmod (complain) { 116 signal (receive) peer=/usr/bin/docker, 117 capability sys_module, 118 /etc/ld.so.cache r, 119 /lib/** r, 120 /dev/null rw, 121 /apparmor/.null rw, 122 /sbin/modprobe rm, 123 /bin/kmod rm, 124 /proc/cmdline r, 125 /sys/module/** r, 126 /etc/modprobe.d{/,/**} r, 127 } 128 # xz works via pipes, so we do not need access to the filesystem. 129 profile /usr/bin/xz (complain) { 130 signal (receive) peer=/usr/bin/docker, 131 /etc/ld.so.cache r, 132 /lib/** r, 133 /usr/bin/xz rm, 134 deny /proc/** rw, 135 deny /sys/** rw, 136 } 137 profile /sbin/xtables-multi (attach_disconnected, complain) { 138 /etc/ld.so.cache r, 139 /lib/** r, 140 /sbin/xtables-multi rm, 141 /apparmor/.null w, 142 /dev/null rw, 143 capability net_raw, 144 capability net_admin, 145 network raw, 146 } 147 profile /sbin/zfs (attach_disconnected, complain) { 148 file, 149 capability, 150 } 151 }