Skip to content

Commit 6c887be

Browse files
ewindischewindisch
committed
Mark engine AA policy as complain-only
The engine policy will now only complain as a temporary measure to ensure we do not cause breakages while users exercise this policy. This is NOT the policy for containers, but for the newly-introduced policy for the daemon itself. Signed-off-by: Eric Windisch <[email protected]>
1 parent 8b2fcdd commit 6c887be

1 file changed

Lines changed: 9 additions & 9 deletions

File tree

contrib/apparmor/docker-engine

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
@{DOCKER_GRAPH_PATH}=/var/lib/docker
22

3-
profile /usr/bin/docker (attach_disconnected) {
3+
profile /usr/bin/docker (attach_disconnected, complain) {
44
# Prevent following links to these files during container setup.
55
deny /etc/** mkl,
66
deny /dev/** kl,
@@ -51,7 +51,7 @@ profile /usr/bin/docker (attach_disconnected) {
5151
change_profile -> docker-*,
5252
change_profile -> unconfined,
5353

54-
profile /bin/cat {
54+
profile /bin/cat (complain) {
5555
/etc/ld.so.cache r,
5656
/lib/** r,
5757
/dev/null rw,
@@ -61,7 +61,7 @@ profile /usr/bin/docker (attach_disconnected) {
6161
# For reading in 'docker stats':
6262
/proc/[0-9]*/net/dev r,
6363
}
64-
profile /bin/ps {
64+
profile /bin/ps (complain) {
6565
/etc/ld.so.cache r,
6666
/etc/localtime r,
6767
/etc/passwd r,
@@ -89,11 +89,11 @@ profile /usr/bin/docker (attach_disconnected) {
8989
/proc/ r,
9090
/proc/tty/drivers r,
9191
}
92-
profile /sbin/iptables {
92+
profile /sbin/iptables (complain) {
9393
signal (receive) peer=/usr/bin/docker,
9494
capability net_admin,
9595
}
96-
profile /sbin/auplink flags=(attach_disconnected) {
96+
profile /sbin/auplink flags=(attach_disconnected, complain) {
9797
signal (receive) peer=/usr/bin/docker,
9898
capability sys_admin,
9999
capability dac_override,
@@ -112,7 +112,7 @@ profile /usr/bin/docker (attach_disconnected) {
112112
/proc/fs/aufs/** rw,
113113
/proc/[0-9]*/mounts rw,
114114
}
115-
profile /sbin/modprobe /bin/kmod {
115+
profile /sbin/modprobe /bin/kmod (complain) {
116116
signal (receive) peer=/usr/bin/docker,
117117
capability sys_module,
118118
/etc/ld.so.cache r,
@@ -126,15 +126,15 @@ profile /usr/bin/docker (attach_disconnected) {
126126
/etc/modprobe.d{/,/**} r,
127127
}
128128
# xz works via pipes, so we do not need access to the filesystem.
129-
profile /usr/bin/xz {
129+
profile /usr/bin/xz (complain) {
130130
signal (receive) peer=/usr/bin/docker,
131131
/etc/ld.so.cache r,
132132
/lib/** r,
133133
/usr/bin/xz rm,
134134
deny /proc/** rw,
135135
deny /sys/** rw,
136136
}
137-
profile /sbin/xtables-multi (attach_disconnected) {
137+
profile /sbin/xtables-multi (attach_disconnected, complain) {
138138
/etc/ld.so.cache r,
139139
/lib/** r,
140140
/sbin/xtables-multi rm,
@@ -144,7 +144,7 @@ profile /usr/bin/docker (attach_disconnected) {
144144
capability net_admin,
145145
network raw,
146146
}
147-
profile /sbin/zfs (attach_disconnected) {
147+
profile /sbin/zfs (attach_disconnected, complain) {
148148
file,
149149
capability,
150150
}

0 commit comments

Comments
 (0)