1package main 2 3const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker 4 5profile /usr/bin/docker (attach_disconnected, complain) { 6 # Prevent following links to these files during container setup. 7 deny /etc/** mkl, 8 deny /dev/** kl, 9 deny /sys/** mkl, 10 deny /proc/** mkl, 11 12 mount -> @{DOCKER_GRAPH_PATH}/**, 13 mount -> /, 14 mount -> /proc/**, 15 mount -> /sys/**, 16 mount -> /run/docker/netns/**, 17 mount -> /.pivot_root[0-9]*/, 18 19 / r, 20 21 umount, 22 pivot_root, 23{{if ge .Version 209000}} 24 signal (receive) peer=@{profile_name}, 25 signal (receive) peer=unconfined, 26 signal (send), 27{{end}} 28 network, 29 capability, 30 owner /** rw, 31 @{DOCKER_GRAPH_PATH}/** rwl, 32 @{DOCKER_GRAPH_PATH}/linkgraph.db k, 33 @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k, 34 @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k, 35 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k, 36 37 # For non-root client use: 38 /dev/urandom r, 39 /dev/null rw, 40 /dev/pts/[0-9]* rw, 41 /run/docker.sock rw, 42 /proc/** r, 43 /proc/[0-9]*/attr/exec w, 44 /sys/kernel/mm/hugepages/ r, 45 /etc/localtime r, 46 /etc/ld.so.cache r, 47 /etc/passwd r, 48 49{{if ge .Version 209000}} 50 ptrace peer=@{profile_name}, 51 ptrace (read) peer=docker-default, 52 deny ptrace (trace) peer=docker-default, 53 deny ptrace peer=/usr/bin/docker///bin/ps, 54{{end}} 55 56 /usr/lib/** rm, 57 /lib/** rm, 58 59 /usr/bin/docker pix, 60 /sbin/xtables-multi rCx, 61 /sbin/iptables rCx, 62 /sbin/modprobe rCx, 63 /sbin/auplink rCx, 64 /sbin/mke2fs rCx, 65 /sbin/tune2fs rCx, 66 /sbin/blkid rCx, 67 /bin/kmod rCx, 68 /usr/bin/xz rCx, 69 /bin/ps rCx, 70 /bin/tar rCx, 71 /bin/cat rCx, 72 /sbin/zfs rCx, 73 /sbin/apparmor_parser rCx, 74 75{{if ge .Version 209000}} 76 # Transitions 77 change_profile -> docker-*, 78 change_profile -> unconfined, 79{{end}} 80 81 profile /bin/cat (complain) { 82 /etc/ld.so.cache r, 83 /lib/** rm, 84 /dev/null rw, 85 /proc r, 86 /bin/cat mr, 87 88 # For reading in 'docker stats': 89 /proc/[0-9]*/net/dev r, 90 } 91 profile /bin/ps (complain) { 92 /etc/ld.so.cache r, 93 /etc/localtime r, 94 /etc/passwd r, 95 /etc/nsswitch.conf r, 96 /lib/** rm, 97 /proc/[0-9]*/** r, 98 /dev/null rw, 99 /bin/ps mr, 100 101{{if ge .Version 209000}} 102 # We don't need ptrace so we'll deny and ignore the error. 103 deny ptrace (read, trace), 104{{end}} 105 106 # Quiet dac_override denials 107 deny capability dac_override, 108 deny capability dac_read_search, 109 deny capability sys_ptrace, 110 111 /dev/tty r, 112 /proc/stat r, 113 /proc/cpuinfo r, 114 /proc/meminfo r, 115 /proc/uptime r, 116 /sys/devices/system/cpu/online r, 117 /proc/sys/kernel/pid_max r, 118 /proc/ r, 119 /proc/tty/drivers r, 120 } 121 profile /sbin/iptables (complain) { 122{{if ge .Version 209000}} 123 signal (receive) peer=/usr/bin/docker, 124{{end}} 125 capability net_admin, 126 } 127 profile /sbin/auplink flags=(attach_disconnected, complain) { 128{{if ge .Version 209000}} 129 signal (receive) peer=/usr/bin/docker, 130{{end}} 131 capability sys_admin, 132 capability dac_override, 133 134 @{DOCKER_GRAPH_PATH}/aufs/** rw, 135 @{DOCKER_GRAPH_PATH}/tmp/** rw, 136 # For user namespaces: 137 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw, 138 139 /sys/fs/aufs/** r, 140 /lib/** rm, 141 /apparmor/.null r, 142 /dev/null rw, 143 /etc/ld.so.cache r, 144 /sbin/auplink rm, 145 /proc/fs/aufs/** rw, 146 /proc/[0-9]*/mounts rw, 147 } 148 profile /sbin/modprobe /bin/kmod (complain) { 149{{if ge .Version 209000}} 150 signal (receive) peer=/usr/bin/docker, 151{{end}} 152 capability sys_module, 153 /etc/ld.so.cache r, 154 /lib/** rm, 155 /dev/null rw, 156 /apparmor/.null rw, 157 /sbin/modprobe rm, 158 /bin/kmod rm, 159 /proc/cmdline r, 160 /sys/module/** r, 161 /etc/modprobe.d{/,/**} r, 162 } 163 # xz works via pipes, so we do not need access to the filesystem. 164 profile /usr/bin/xz (complain) { 165{{if ge .Version 209000}} 166 signal (receive) peer=/usr/bin/docker, 167{{end}} 168 /etc/ld.so.cache r, 169 /lib/** rm, 170 /usr/bin/xz rm, 171 deny /proc/** rw, 172 deny /sys/** rw, 173 } 174 profile /sbin/xtables-multi (attach_disconnected, complain) { 175 /etc/ld.so.cache r, 176 /lib/** rm, 177 /sbin/xtables-multi rm, 178 /apparmor/.null w, 179 /dev/null rw, 180 181 /proc r, 182 183 capability net_raw, 184 capability net_admin, 185 network raw, 186 } 187 profile /sbin/zfs (attach_disconnected, complain) { 188 file, 189 capability, 190 } 191 profile /sbin/mke2fs (complain) { 192 /sbin/mke2fs rm, 193 194 /lib/** rm, 195 196 /apparmor/.null w, 197 198 /etc/ld.so.cache r, 199 /etc/mke2fs.conf r, 200 /etc/mtab r, 201 202 /dev/dm-* rw, 203 /dev/urandom r, 204 /dev/null rw, 205 206 /proc/swaps r, 207 /proc/[0-9]*/mounts r, 208 } 209 profile /sbin/tune2fs (complain) { 210 /sbin/tune2fs rm, 211 212 /lib/** rm, 213 214 /apparmor/.null w, 215 216 /etc/blkid.conf r, 217 /etc/mtab r, 218 /etc/ld.so.cache r, 219 220 /dev/null rw, 221 /dev/.blkid.tab r, 222 /dev/dm-* rw, 223 224 /proc/swaps r, 225 /proc/[0-9]*/mounts r, 226 } 227 profile /sbin/blkid (complain) { 228 /sbin/blkid rm, 229 230 /lib/** rm, 231 /apparmor/.null w, 232 233 /etc/ld.so.cache r, 234 /etc/blkid.conf r, 235 236 /dev/null rw, 237 /dev/.blkid.tab rl, 238 /dev/.blkid.tab* rwl, 239 /dev/dm-* r, 240 241 /sys/devices/virtual/block/** r, 242 243 capability mknod, 244 245 mount -> @{DOCKER_GRAPH_PATH}/**, 246 } 247 profile /sbin/apparmor_parser (complain) { 248 /sbin/apparmor_parser rm, 249 250 /lib/** rm, 251 252 /etc/ld.so.cache r, 253 /etc/apparmor/** r, 254 /etc/apparmor.d/** r, 255 /etc/apparmor.d/cache/** w, 256 257 /dev/null rw, 258 259 /sys/kernel/security/apparmor/** r, 260 /sys/kernel/security/apparmor/.replace w, 261 262 /proc/[0-9]*/mounts r, 263 /proc/sys/kernel/osrelease r, 264 /proc r, 265 266 capability mac_admin, 267 } 268}` 269