3 const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker
5 profile /usr/bin/docker (attach_disconnected, complain) {
6 # Prevent following links to these files during container setup.
12 mount -> @{DOCKER_GRAPH_PATH}/**,
16 mount -> /run/docker/netns/**,
17 mount -> /.pivot_root[0-9]*/,
23 {{if ge .Version 209000}}
24 signal (receive) peer=@{profile_name},
25 signal (receive) peer=unconfined,
31 @{DOCKER_GRAPH_PATH}/** rwl,
32 @{DOCKER_GRAPH_PATH}/linkgraph.db k,
33 @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
34 @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
35 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k,
37 # For non-root client use:
43 /proc/[0-9]*/attr/exec w,
44 /sys/kernel/mm/hugepages/ r,
49 {{if ge .Version 209000}}
50 ptrace peer=@{profile_name},
51 ptrace (read) peer=docker-default,
52 deny ptrace (trace) peer=docker-default,
53 deny ptrace peer=/usr/bin/docker///bin/ps,
60 /sbin/xtables-multi rCx,
73 /sbin/apparmor_parser rCx,
75 {{if ge .Version 209000}}
77 change_profile -> docker-*,
78 change_profile -> unconfined,
81 profile /bin/cat (complain) {
88 # For reading in 'docker stats':
89 /proc/[0-9]*/net/dev r,
91 profile /bin/ps (complain) {
101 {{if ge .Version 209000}}
102 # We don't need ptrace so we'll deny and ignore the error.
103 deny ptrace (read, trace),
106 # Quiet dac_override denials
107 deny capability dac_override,
108 deny capability dac_read_search,
109 deny capability sys_ptrace,
116 /sys/devices/system/cpu/online r,
117 /proc/sys/kernel/pid_max r,
121 profile /sbin/iptables (complain) {
122 {{if ge .Version 209000}}
123 signal (receive) peer=/usr/bin/docker,
125 capability net_admin,
127 profile /sbin/auplink flags=(attach_disconnected, complain) {
128 {{if ge .Version 209000}}
129 signal (receive) peer=/usr/bin/docker,
131 capability sys_admin,
132 capability dac_override,
134 @{DOCKER_GRAPH_PATH}/aufs/** rw,
135 @{DOCKER_GRAPH_PATH}/tmp/** rw,
136 # For user namespaces:
137 @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
146 /proc/[0-9]*/mounts rw,
148 profile /sbin/modprobe /bin/kmod (complain) {
149 {{if ge .Version 209000}}
150 signal (receive) peer=/usr/bin/docker,
152 capability sys_module,
161 /etc/modprobe.d{/,/**} r,
163 # xz works via pipes, so we do not need access to the filesystem.
164 profile /usr/bin/xz (complain) {
165 {{if ge .Version 209000}}
166 signal (receive) peer=/usr/bin/docker,
174 profile /sbin/xtables-multi (attach_disconnected, complain) {
177 /sbin/xtables-multi rm,
184 capability net_admin,
187 profile /sbin/zfs (attach_disconnected, complain) {
191 profile /sbin/mke2fs (complain) {
207 /proc/[0-9]*/mounts r,
209 profile /sbin/tune2fs (complain) {
225 /proc/[0-9]*/mounts r,
227 profile /sbin/blkid (complain) {
238 /dev/.blkid.tab* rwl,
241 /sys/devices/virtual/block/** r,
245 mount -> @{DOCKER_GRAPH_PATH}/**,
247 profile /sbin/apparmor_parser (complain) {
248 /sbin/apparmor_parser rm,
254 /etc/apparmor.d/** r,
255 /etc/apparmor.d/cache/** w,
259 /sys/kernel/security/apparmor/** r,
260 /sys/kernel/security/apparmor/.replace w,
262 /proc/[0-9]*/mounts r,
263 /proc/sys/kernel/osrelease r,
266 capability mac_admin,