github.com/rsampaio/docker@v0.7.2-0.20150827203920-fdc73cc3fc31/contrib/apparmor/docker-engine (about) 1 @{DOCKER_GRAPH_PATH}=/var/lib/docker 2 3 profile /usr/bin/docker (attach_disconnected, complain) { 4 # Prevent following links to these files during container setup. 5 deny /etc/** mkl, 6 deny /dev/** kl, 7 deny /sys/** mkl, 8 deny /proc/** mkl, 9 10 mount -> @{DOCKER_GRAPH_PATH}/**, 11 mount -> /, 12 mount -> /proc/**, 13 mount -> /sys/**, 14 mount -> /run/docker/netns/**, 15 16 umount, 17 pivot_root, 18 signal (receive) peer=@{profile_name}, 19 signal (receive) peer=unconfined, 20 signal (send), 21 ipc rw, 22 network, 23 capability, 24 owner /** rw, 25 /var/lib/docker/** rwl, 26 27 # For non-root client use: 28 /dev/urandom r, 29 /run/docker.sock rw, 30 /proc/** r, 31 /sys/kernel/mm/hugepages/ r, 32 /etc/localtime r, 33 34 ptrace peer=@{profile_name}, 35 ptrace (read) peer=docker-default, 36 deny ptrace (trace) peer=docker-default, 37 deny ptrace peer=/usr/bin/docker///bin/ps, 38 39 /usr/bin/docker pix, 40 /sbin/xtables-multi rCx, 41 /sbin/iptables rCx, 42 /sbin/modprobe rCx, 43 /sbin/auplink rCx, 44 /sbin/mke2fs rCx, 45 /sbin/tune2fs rCx, 46 /sbin/blkid rCx, 47 /bin/kmod rCx, 48 /usr/bin/xz rCx, 49 /bin/ps rCx, 50 /bin/cat rCx, 51 /sbin/zfs rCx, 52 53 # Transitions 54 change_profile -> docker-*, 55 change_profile -> unconfined, 56 57 profile /bin/cat (complain) { 58 /etc/ld.so.cache r, 59 /lib/** r, 60 /dev/null rw, 61 /proc r, 62 /bin/cat mr, 63 64 # For reading in 'docker stats': 65 /proc/[0-9]*/net/dev r, 66 } 67 profile /bin/ps (complain) { 68 /etc/ld.so.cache r, 69 /etc/localtime r, 70 /etc/passwd r, 71 /etc/nsswitch.conf r, 72 /lib/** r, 73 /proc/[0-9]*/** r, 74 /dev/null rw, 75 /bin/ps mr, 76 77 # We don't need ptrace so we'll deny and ignore the error. 78 deny ptrace (read, trace), 79 80 # Quiet dac_override denials 81 deny capability dac_override, 82 deny capability dac_read_search, 83 deny capability sys_ptrace, 84 85 /dev/tty r, 86 /proc/stat r, 87 /proc/cpuinfo r, 88 /proc/meminfo r, 89 /proc/uptime r, 90 /sys/devices/system/cpu/online r, 91 /proc/sys/kernel/pid_max r, 92 /proc/ r, 93 /proc/tty/drivers r, 94 } 95 profile /sbin/iptables (complain) { 96 signal (receive) peer=/usr/bin/docker, 97 capability net_admin, 98 } 99 profile /sbin/auplink flags=(attach_disconnected, complain) { 100 signal (receive) peer=/usr/bin/docker, 101 capability sys_admin, 102 capability dac_override, 103 104 @{DOCKER_GRAPH_PATH}/aufs/** rw, 105 @{DOCKER_GRAPH_PATH}/tmp/** rw, 106 # For user namespaces: 107 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, 108 109 /sys/fs/aufs/** r, 110 /lib/** r, 111 /apparmor/.null r, 112 /dev/null rw, 113 /etc/ld.so.cache r, 114 /sbin/auplink rm, 115 /proc/fs/aufs/** rw, 116 /proc/[0-9]*/mounts rw, 117 } 118 profile /sbin/modprobe /bin/kmod (complain) { 119 signal (receive) peer=/usr/bin/docker, 120 capability sys_module, 121 /etc/ld.so.cache r, 122 /lib/** r, 123 /dev/null rw, 124 /apparmor/.null rw, 125 /sbin/modprobe rm, 126 /bin/kmod rm, 127 /proc/cmdline r, 128 /sys/module/** r, 129 /etc/modprobe.d{/,/**} r, 130 } 131 # xz works via pipes, so we do not need access to the filesystem. 132 profile /usr/bin/xz (complain) { 133 signal (receive) peer=/usr/bin/docker, 134 /etc/ld.so.cache r, 135 /lib/** r, 136 /usr/bin/xz rm, 137 deny /proc/** rw, 138 deny /sys/** rw, 139 } 140 profile /sbin/xtables-multi (attach_disconnected, complain) { 141 /etc/ld.so.cache r, 142 /lib/** r, 143 /sbin/xtables-multi rm, 144 /apparmor/.null w, 145 /dev/null rw, 146 capability net_raw, 147 capability net_admin, 148 network raw, 149 } 150 profile /sbin/zfs (attach_disconnected, complain) { 151 file, 152 capability, 153 } 154 profile /sbin/mke2fs (complain) { 155 /sbin/mke2fs rm, 156 157 /lib/** r, 158 159 /apparmor/.null w, 160 161 /etc/ld.so.cache r, 162 /etc/mke2fs.conf r, 163 /etc/mtab r, 164 165 /dev/dm-* rw, 166 /dev/urandom r, 167 /dev/null rw, 168 169 /proc/swaps r, 170 /proc/[0-9]*/mounts r, 171 } 172 profile /sbin/tune2fs (complain) { 173 /sbin/tune2fs rm, 174 175 /lib/** r, 176 177 /apparmor/.null w, 178 179 /etc/blkid.conf r, 180 /etc/mtab r, 181 /etc/ld.so.cache r, 182 183 /dev/null rw, 184 /dev/.blkid.tab r, 185 /dev/dm-* rw, 186 187 /proc/swaps r, 188 /proc/[0-9]*/mounts r, 189 } 190 profile /sbin/blkid (complain) { 191 /sbin/blkid rm, 192 193 /lib/** r, 194 /apparmor/.null w, 195 196 /etc/ld.so.cache r, 197 /etc/blkid.conf r, 198 199 /dev/null rw, 200 /dev/.blkid.tab rl, 201 /dev/.blkid.tab* rwl, 202 /dev/dm-* r, 203 204 /sys/devices/virtual/block/** r, 205 206 capability mknod, 207 208 mount -> @{DOCKER_GRAPH_PATH}/**, 209 } 210 }