mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
AA: Eliminate 'file' permission
Implements the policies for the remaining binaries called by the Docker engine and eliminates the giant whitelisted 'all files' permission in favor of granular whitelisting and child-specific policies. It should be possible now to remove the 'file' permission, but for the sake of keeping Docker unbroken, we'll try to gradually tighten the policy. Signed-off-by: Eric Windisch <eric@windisch.us>
This commit is contained in:
Eric Windisch
parent
3edc88f76d
commit
8b2fcddcd2
1 changed files with 104 additions and 24 deletions
|
|
@ -21,51 +21,131 @@ profile /usr/bin/docker (attach_disconnected) {
|
|||
ipc rw,
|
||||
network,
|
||||
capability,
|
||||
file,
|
||||
owner /** rw,
|
||||
/var/lib/docker/** rwl,
|
||||
|
||||
# For non-root client use:
|
||||
/dev/urandom r,
|
||||
/run/docker.sock rw,
|
||||
/proc/** r,
|
||||
/sys/kernel/mm/hugepages/ r,
|
||||
/etc/localtime r,
|
||||
|
||||
ptrace peer=@{profile_name},
|
||||
ptrace (read) peer=docker-default,
|
||||
deny ptrace (trace) peer=docker-default,
|
||||
deny ptrace peer=/usr/bin/docker///bin/ps,
|
||||
|
||||
/usr/bin/docker pix,
|
||||
/sbin/xtables-multi rCix,
|
||||
/sbin/xtables-multi rCx,
|
||||
/sbin/iptables rCx,
|
||||
/sbin/modprobe rCx,
|
||||
/sbin/auplink rCx,
|
||||
/bin/kmod rCx,
|
||||
/usr/bin/xz rCx,
|
||||
/bin/ps rCx,
|
||||
/bin/cat rCx,
|
||||
/sbin/zfs rCx,
|
||||
|
||||
# Transitions
|
||||
change_profile -> docker-*,
|
||||
change_profile -> unconfined,
|
||||
|
||||
profile /bin/cat {
|
||||
/etc/ld.so.cache r,
|
||||
/lib/** r,
|
||||
/dev/null rw,
|
||||
/proc r,
|
||||
/bin/cat mr,
|
||||
|
||||
# For reading in 'docker stats':
|
||||
/proc/[0-9]*/net/dev r,
|
||||
}
|
||||
profile /bin/ps {
|
||||
/etc/ld.so.cache r,
|
||||
/etc/localtime r,
|
||||
/etc/passwd r,
|
||||
/etc/nsswitch.conf r,
|
||||
/lib/** r,
|
||||
/proc/[0-9]*/** r,
|
||||
/dev/null rw,
|
||||
/bin/ps mr,
|
||||
|
||||
# We don't need ptrace so we'll deny and ignore the error.
|
||||
deny ptrace (read, trace),
|
||||
|
||||
# Quiet dac_override denials
|
||||
deny capability dac_override,
|
||||
deny capability dac_read_search,
|
||||
deny capability sys_ptrace,
|
||||
|
||||
/dev/tty r,
|
||||
/proc/stat r,
|
||||
/proc/cpuinfo r,
|
||||
/proc/meminfo r,
|
||||
/proc/uptime r,
|
||||
/sys/devices/system/cpu/online r,
|
||||
/proc/sys/kernel/pid_max r,
|
||||
/proc/ r,
|
||||
/proc/tty/drivers r,
|
||||
}
|
||||
profile /sbin/iptables {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability net_admin,
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability net_admin,
|
||||
}
|
||||
profile /sbin/auplink flags=(attach_disconnected) {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability sys_admin,
|
||||
capability dac_override,
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability sys_admin,
|
||||
capability dac_override,
|
||||
|
||||
@{DOCKER_GRAPH_PATH}/aufs/** rw,
|
||||
# For user namespaces:
|
||||
@{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
|
||||
@{DOCKER_GRAPH_PATH}/aufs/** rw,
|
||||
@{DOCKER_GRAPH_PATH}/tmp/** rw,
|
||||
# For user namespaces:
|
||||
@{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
|
||||
|
||||
# The following may be removed via delegates
|
||||
/sys/fs/aufs/** r,
|
||||
/lib/** r,
|
||||
/apparmor/.null r,
|
||||
/dev/null rw,
|
||||
/etc/ld.so.cache r,
|
||||
/sbin/auplink rm,
|
||||
/proc/fs/aufs/** rw,
|
||||
/proc/[0-9]*/mounts rw,
|
||||
/sys/fs/aufs/** r,
|
||||
/lib/** r,
|
||||
/apparmor/.null r,
|
||||
/dev/null rw,
|
||||
/etc/ld.so.cache r,
|
||||
/sbin/auplink rm,
|
||||
/proc/fs/aufs/** rw,
|
||||
/proc/[0-9]*/mounts rw,
|
||||
}
|
||||
profile /sbin/modprobe {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability sys_module,
|
||||
file,
|
||||
profile /sbin/modprobe /bin/kmod {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
capability sys_module,
|
||||
/etc/ld.so.cache r,
|
||||
/lib/** r,
|
||||
/dev/null rw,
|
||||
/apparmor/.null rw,
|
||||
/sbin/modprobe rm,
|
||||
/bin/kmod rm,
|
||||
/proc/cmdline r,
|
||||
/sys/module/** r,
|
||||
/etc/modprobe.d{/,/**} r,
|
||||
}
|
||||
# xz works via pipes, so we do not need access to the filesystem.
|
||||
profile /usr/bin/xz {
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
signal (receive) peer=/usr/bin/docker,
|
||||
/etc/ld.so.cache r,
|
||||
/lib/** r,
|
||||
/usr/bin/xz rm,
|
||||
deny /proc/** rw,
|
||||
deny /sys/** rw,
|
||||
}
|
||||
profile /sbin/xtables-multi (attach_disconnected) {
|
||||
/etc/ld.so.cache r,
|
||||
/lib/** r,
|
||||
/sbin/xtables-multi rm,
|
||||
/apparmor/.null w,
|
||||
/dev/null rw,
|
||||
capability net_raw,
|
||||
capability net_admin,
|
||||
network raw,
|
||||
}
|
||||
profile /sbin/zfs (attach_disconnected) {
|
||||
file,
|
||||
capability,
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue