@@ -21,51 +21,131 @@ profile /usr/bin/docker (attach_disconnected) {
2121 ipc rw,
2222 network,
2323 capability,
24- file,
24+ owner /** rw,
25+ /var/lib/docker/** rwl,
26+
27+ # For non-root client use:
28+ /dev/urandom r,
29+ /run/docker.sock rw,
30+ /proc/** r,
31+ /sys/kernel/mm/hugepages/ r,
32+ /etc/localtime r,
2533
2634 ptrace peer=@{profile_name},
35+ ptrace (read) peer=docker-default,
36+ deny ptrace (trace) peer=docker-default,
37+ deny ptrace peer=/usr/bin/docker///bin/ps,
2738
2839 /usr/bin/docker pix,
29- /sbin/xtables-multi rCix ,
40+ /sbin/xtables-multi rCx ,
3041 /sbin/iptables rCx,
3142 /sbin/modprobe rCx,
3243 /sbin/auplink rCx,
44+ /bin/kmod rCx,
3345 /usr/bin/xz rCx,
46+ /bin/ps rCx,
47+ /bin/cat rCx,
48+ /sbin/zfs rCx,
3449
3550 # Transitions
3651 change_profile -> docker-*,
3752 change_profile -> unconfined,
3853
54+ profile /bin/cat {
55+ /etc/ld.so.cache r,
56+ /lib/** r,
57+ /dev/null rw,
58+ /proc r,
59+ /bin/cat mr,
60+
61+ # For reading in 'docker stats':
62+ /proc/[0-9]*/net/dev r,
63+ }
64+ profile /bin/ps {
65+ /etc/ld.so.cache r,
66+ /etc/localtime r,
67+ /etc/passwd r,
68+ /etc/nsswitch.conf r,
69+ /lib/** r,
70+ /proc/[0-9]*/** r,
71+ /dev/null rw,
72+ /bin/ps mr,
73+
74+ # We don't need ptrace so we'll deny and ignore the error.
75+ deny ptrace (read, trace),
76+
77+ # Quiet dac_override denials
78+ deny capability dac_override,
79+ deny capability dac_read_search,
80+ deny capability sys_ptrace,
81+
82+ /dev/tty r,
83+ /proc/stat r,
84+ /proc/cpuinfo r,
85+ /proc/meminfo r,
86+ /proc/uptime r,
87+ /sys/devices/system/cpu/online r,
88+ /proc/sys/kernel/pid_max r,
89+ /proc/ r,
90+ /proc/tty/drivers r,
91+ }
3992 profile /sbin/iptables {
40- signal (receive) peer=/usr/bin/docker,
41- capability net_admin,
93+ signal (receive) peer=/usr/bin/docker,
94+ capability net_admin,
4295 }
4396 profile /sbin/auplink flags=(attach_disconnected) {
44- signal (receive) peer=/usr/bin/docker,
45- capability sys_admin,
46- capability dac_override,
97+ signal (receive) peer=/usr/bin/docker,
98+ capability sys_admin,
99+ capability dac_override,
47100
48- @{DOCKER_GRAPH_PATH}/aufs/** rw,
49- # For user namespaces:
50- @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
101+ @{DOCKER_GRAPH_PATH}/aufs/** rw,
102+ @{DOCKER_GRAPH_PATH}/tmp/** rw,
103+ # For user namespaces:
104+ @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
51105
52- # The following may be removed via delegates
53- /sys/fs/aufs/** r,
54- /lib/** r,
55- /apparmor/.null r,
56- /dev/null rw,
57- /etc/ld.so.cache r,
58- /sbin/auplink rm,
59- /proc/fs/aufs/** rw,
60- /proc/[0-9]*/mounts rw,
106+ /sys/fs/aufs/** r,
107+ /lib/** r,
108+ /apparmor/.null r,
109+ /dev/null rw,
110+ /etc/ld.so.cache r,
111+ /sbin/auplink rm,
112+ /proc/fs/aufs/** rw,
113+ /proc/[0-9]*/mounts rw,
61114 }
62- profile /sbin/modprobe {
63- signal (receive) peer=/usr/bin/docker,
64- capability sys_module,
65- file,
115+ profile /sbin/modprobe /bin/kmod {
116+ signal (receive) peer=/usr/bin/docker,
117+ capability sys_module,
118+ /etc/ld.so.cache r,
119+ /lib/** r,
120+ /dev/null rw,
121+ /apparmor/.null rw,
122+ /sbin/modprobe rm,
123+ /bin/kmod rm,
124+ /proc/cmdline r,
125+ /sys/module/** r,
126+ /etc/modprobe.d{/,/**} r,
66127 }
67128 # xz works via pipes, so we do not need access to the filesystem.
68129 profile /usr/bin/xz {
69- signal (receive) peer=/usr/bin/docker,
130+ signal (receive) peer=/usr/bin/docker,
131+ /etc/ld.so.cache r,
132+ /lib/** r,
133+ /usr/bin/xz rm,
134+ deny /proc/** rw,
135+ deny /sys/** rw,
136+ }
137+ profile /sbin/xtables-multi (attach_disconnected) {
138+ /etc/ld.so.cache r,
139+ /lib/** r,
140+ /sbin/xtables-multi rm,
141+ /apparmor/.null w,
142+ /dev/null rw,
143+ capability net_raw,
144+ capability net_admin,
145+ network raw,
146+ }
147+ profile /sbin/zfs (attach_disconnected) {
148+ file,
149+ capability,
70150 }
71151}
0 commit comments