diff --git a/contrib/apparmor/docker-engine b/contrib/apparmor/docker-engine index 07b5dd864a..a174ee440b 100644 --- a/contrib/apparmor/docker-engine +++ b/contrib/apparmor/docker-engine @@ -21,51 +21,131 @@ profile /usr/bin/docker (attach_disconnected) { ipc rw, network, capability, - file, + owner /** rw, + /var/lib/docker/** rwl, + + # For non-root client use: + /dev/urandom r, + /run/docker.sock rw, + /proc/** r, + /sys/kernel/mm/hugepages/ r, + /etc/localtime r, ptrace peer=@{profile_name}, + ptrace (read) peer=docker-default, + deny ptrace (trace) peer=docker-default, + deny ptrace peer=/usr/bin/docker///bin/ps, /usr/bin/docker pix, - /sbin/xtables-multi rCix, + /sbin/xtables-multi rCx, /sbin/iptables rCx, /sbin/modprobe rCx, /sbin/auplink rCx, + /bin/kmod rCx, /usr/bin/xz rCx, + /bin/ps rCx, + /bin/cat rCx, + /sbin/zfs rCx, # Transitions change_profile -> docker-*, change_profile -> unconfined, + profile /bin/cat { + /etc/ld.so.cache r, + /lib/** r, + /dev/null rw, + /proc r, + /bin/cat mr, + + # For reading in 'docker stats': + /proc/[0-9]*/net/dev r, + } + profile /bin/ps { + /etc/ld.so.cache r, + /etc/localtime r, + /etc/passwd r, + /etc/nsswitch.conf r, + /lib/** r, + /proc/[0-9]*/** r, + /dev/null rw, + /bin/ps mr, + + # We don't need ptrace so we'll deny and ignore the error. + deny ptrace (read, trace), + + # Quiet dac_override denials + deny capability dac_override, + deny capability dac_read_search, + deny capability sys_ptrace, + + /dev/tty r, + /proc/stat r, + /proc/cpuinfo r, + /proc/meminfo r, + /proc/uptime r, + /sys/devices/system/cpu/online r, + /proc/sys/kernel/pid_max r, + /proc/ r, + /proc/tty/drivers r, + } profile /sbin/iptables { - signal (receive) peer=/usr/bin/docker, - capability net_admin, + signal (receive) peer=/usr/bin/docker, + capability net_admin, } profile /sbin/auplink flags=(attach_disconnected) { - signal (receive) peer=/usr/bin/docker, - capability sys_admin, - capability dac_override, + signal (receive) peer=/usr/bin/docker, + capability sys_admin, + capability dac_override, - @{DOCKER_GRAPH_PATH}/aufs/** rw, - # For user namespaces: - @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, + @{DOCKER_GRAPH_PATH}/aufs/** rw, + @{DOCKER_GRAPH_PATH}/tmp/** rw, + # For user namespaces: + @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, - # The following may be removed via delegates - /sys/fs/aufs/** r, - /lib/** r, - /apparmor/.null r, - /dev/null rw, - /etc/ld.so.cache r, - /sbin/auplink rm, - /proc/fs/aufs/** rw, - /proc/[0-9]*/mounts rw, + /sys/fs/aufs/** r, + /lib/** r, + /apparmor/.null r, + /dev/null rw, + /etc/ld.so.cache r, + /sbin/auplink rm, + /proc/fs/aufs/** rw, + /proc/[0-9]*/mounts rw, } - profile /sbin/modprobe { - signal (receive) peer=/usr/bin/docker, - capability sys_module, - file, + profile /sbin/modprobe /bin/kmod { + signal (receive) peer=/usr/bin/docker, + capability sys_module, + /etc/ld.so.cache r, + /lib/** r, + /dev/null rw, + /apparmor/.null rw, + /sbin/modprobe rm, + /bin/kmod rm, + /proc/cmdline r, + /sys/module/** r, + /etc/modprobe.d{/,/**} r, } # xz works via pipes, so we do not need access to the filesystem. profile /usr/bin/xz { - signal (receive) peer=/usr/bin/docker, + signal (receive) peer=/usr/bin/docker, + /etc/ld.so.cache r, + /lib/** r, + /usr/bin/xz rm, + deny /proc/** rw, + deny /sys/** rw, + } + profile /sbin/xtables-multi (attach_disconnected) { + /etc/ld.so.cache r, + /lib/** r, + /sbin/xtables-multi rm, + /apparmor/.null w, + /dev/null rw, + capability net_raw, + capability net_admin, + network raw, + } + profile /sbin/zfs (attach_disconnected) { + file, + capability, } }