Skip to content

Commit 8cf8924

Browse files
jessfrazjessfraz
committed
change default docker-engine profile to a template based on apparmor_parser version
Signed-off-by: Jessica Frazelle <[email protected]>
1 parent bece5b8 commit 8cf8924

2 files changed

Lines changed: 105 additions & 2 deletions

File tree

contrib/apparmor/main.go

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
package main
2+
3+
import (
4+
"fmt"
5+
"log"
6+
"os"
7+
"os/exec"
8+
"path"
9+
"strconv"
10+
"strings"
11+
"text/template"
12+
)
13+
14+
type profileData struct {
15+
MajorVersion int
16+
MinorVersion int
17+
}
18+
19+
func main() {
20+
if len(os.Args) < 2 {
21+
log.Fatal("pass a filename to save the profile in.")
22+
}
23+
24+
// parse the arg
25+
apparmorProfilePath := os.Args[1]
26+
27+
// get the apparmor_version version
28+
cmd := exec.Command("/sbin/apparmor_parser", "--version")
29+
30+
output, err := cmd.CombinedOutput()
31+
if err != nil {
32+
log.Fatalf("getting apparmor_parser version failed: %s (%s)", err, output)
33+
}
34+
35+
// parse the version from the output
36+
// output is in the form of the following:
37+
// AppArmor parser version 2.9.1
38+
// Copyright (C) 1999-2008 Novell Inc.
39+
// Copyright 2009-2012 Canonical Ltd.
40+
lines := strings.SplitN(string(output), "\n", 2)
41+
words := strings.Split(lines[0], " ")
42+
version := words[len(words)-1]
43+
// split by major minor version
44+
v := strings.Split(version, ".")
45+
if len(v) < 2 {
46+
log.Fatalf("parsing major minor version failed for %q", version)
47+
}
48+
49+
majorVersion, err := strconv.Atoi(v[0])
50+
if err != nil {
51+
log.Fatal(err)
52+
}
53+
minorVersion, err := strconv.Atoi(v[1])
54+
if err != nil {
55+
log.Fatal(err)
56+
}
57+
data := profileData{
58+
MajorVersion: majorVersion,
59+
MinorVersion: minorVersion,
60+
}
61+
fmt.Printf("apparmor_parser is of version %+v\n", data)
62+
63+
// parse the template
64+
compiled, err := template.New("apparmor_profile").Parse(dockerProfileTemplate)
65+
if err != nil {
66+
log.Fatalf("parsing template failed: %v", err)
67+
}
68+
69+
// make sure /etc/apparmor.d exists
70+
if err := os.MkdirAll(path.Dir(apparmorProfilePath), 0755); err != nil {
71+
log.Fatal(err)
72+
}
73+
74+
f, err := os.OpenFile(apparmorProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
75+
if err != nil {
76+
log.Fatal(err)
77+
}
78+
defer f.Close()
79+
80+
if err := compiled.Execute(f, data); err != nil {
81+
log.Fatalf("executing template failed: %v", err)
82+
}
83+
84+
fmt.Printf("created apparmor profile for version %+v at %q\n", data, apparmorProfilePath)
85+
}

contrib/apparmor/docker-engine renamed to contrib/apparmor/template.go

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
1-
@{DOCKER_GRAPH_PATH}=/var/lib/docker
1+
package main
2+
3+
const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker
24
35
profile /usr/bin/docker (attach_disconnected, complain) {
46
# Prevent following links to these files during container setup.
@@ -15,9 +17,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
1517
1618
umount,
1719
pivot_root,
20+
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
1821
signal (receive) peer=@{profile_name},
1922
signal (receive) peer=unconfined,
2023
signal (send),
24+
{{end}}{{end}}
2125
ipc rw,
2226
network,
2327
capability,
@@ -34,10 +38,12 @@ profile /usr/bin/docker (attach_disconnected, complain) {
3438
/etc/localtime r,
3539
/etc/ld.so.cache r,
3640
41+
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
3742
ptrace peer=@{profile_name},
3843
ptrace (read) peer=docker-default,
3944
deny ptrace (trace) peer=docker-default,
4045
deny ptrace peer=/usr/bin/docker///bin/ps,
46+
{{end}}{{end}}
4147
4248
/usr/lib/** rm,
4349
/lib/** rm,
@@ -57,9 +63,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
5763
/sbin/zfs rCx,
5864
/sbin/apparmor_parser rCx,
5965
66+
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
6067
# Transitions
6168
change_profile -> docker-*,
6269
change_profile -> unconfined,
70+
{{end}}{{end}}
6371
6472
profile /bin/cat (complain) {
6573
/etc/ld.so.cache r,
@@ -81,8 +89,10 @@ profile /usr/bin/docker (attach_disconnected, complain) {
8189
/dev/null rw,
8290
/bin/ps mr,
8391
92+
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
8493
# We don't need ptrace so we'll deny and ignore the error.
8594
deny ptrace (read, trace),
95+
{{end}}{{end}}
8696
8797
# Quiet dac_override denials
8898
deny capability dac_override,
@@ -100,11 +110,15 @@ profile /usr/bin/docker (attach_disconnected, complain) {
100110
/proc/tty/drivers r,
101111
}
102112
profile /sbin/iptables (complain) {
113+
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
103114
signal (receive) peer=/usr/bin/docker,
115+
{{end}}{{end}}
104116
capability net_admin,
105117
}
106118
profile /sbin/auplink flags=(attach_disconnected, complain) {
119+
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
107120
signal (receive) peer=/usr/bin/docker,
121+
{{end}}{{end}}
108122
capability sys_admin,
109123
capability dac_override,
110124
@@ -123,7 +137,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
123137
/proc/[0-9]*/mounts rw,
124138
}
125139
profile /sbin/modprobe /bin/kmod (complain) {
140+
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
126141
signal (receive) peer=/usr/bin/docker,
142+
{{end}}{{end}}
127143
capability sys_module,
128144
/etc/ld.so.cache r,
129145
/lib/** rm,
@@ -137,7 +153,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
137153
}
138154
# xz works via pipes, so we do not need access to the filesystem.
139155
profile /usr/bin/xz (complain) {
156+
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
140157
signal (receive) peer=/usr/bin/docker,
158+
{{end}}{{end}}
141159
/etc/ld.so.cache r,
142160
/lib/** rm,
143161
/usr/bin/xz rm,
@@ -238,4 +256,4 @@ profile /usr/bin/docker (attach_disconnected, complain) {
238256
239257
capability mac_admin,
240258
}
241-
}
259+
}`

0 commit comments

Comments
 (0)