ewindisch · November 26, 2020 13:26 · May 7, 2015 · May 7, 2015 · May 7, 2015
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -1,4 +1,3 @@
-
 #include <tunables/global>
 
 profile /usr/bin/docker flags=(attach_disconnected, chroot_relative) {
@@ -22,6 +21,7 @@ profile /usr/bin/docker flags=(attach_disconnected, chroot_relative) {
   /sbin/modprobe rix,
   /usr/bin/docker rix,
   /sbin/auplink rix,
+  /usr/bin/xz rix,
 
   # Client requirements...
   /var/run/docker.sock rw,

diff --git a/gistfile1.txt b/gistfile1.txt
@@ -1,10 +1,54 @@
 
-
 #include <tunables/global>
 
+profile /usr/bin/docker flags=(attach_disconnected, chroot_relative) {
+  # Daemon requirements
+  signal,
+  ipc rw,
+  network,
+  capability,
+
+  mount -> /var/lib/docker/**,
+  mount -> /,
+  mount -> /proc/**,
+  mount -> /sys/**,
+  umount,
+  pivot_root,
+  /var/lib/docker/* rw,
+  /var/run/docker.sock rw,
+  /sbin/apparmor_parser rix,
+  /sbin/xtables-multi rix,
+  /sbin/iptables rix,
+  /sbin/modprobe rix,
+  /usr/bin/docker rix,
+  /sbin/auplink rix,
+
+  # Client requirements...
+  /var/run/docker.sock rw,
+  /proc/sys/net/core/somaxconn r,
+  /proc/sys/kernel/cap_last_cap r,
+  /run/docker.sock rw,
+
+  # For accessing build contexts, local cp, etc.
+  owner /** rw,
+
+  # Transitions
+  change_profile -> docker-default,
 
-profile docker-default flags=(attach_disconnected,mediate_deleted,namespace_relative) {
+  profile /sbin/iptables {
+   capability net_admin,
+  }
+  profile /sbin/auplink {
+   capability net_admin,
+   capability net_raw,
+  }
+  profile /sbin/modprobe {
+   capability sys_module,
+   /lib/modules/*/** r,
+  }
+}
 
+profile docker-default flags=(attach_disconnected,mediate_deleted,namespace_relative, audit) {
   #include <abstractions/base>
 
   network,
@@ -24,7 +68,16 @@ profile docker-default flags=(attach_disconnected,mediate_deleted,namespace_rela
   allow capability kill,
   allow capability sys_chroot,
 
-  deny @{PROC}/*/attr/** wklx,
+  allow /var/lib/docker/** rw,
+
+  allow @{PROC}/[0-9]*/** rwkl,
+  allow @{PROC}/uptime rwkl,
+  allow @{PROC}/cpuinfo rwkl,
+
+  deny mount,
+
+  deny @{PROC}/** wklx,
+  deny @{PROC}/attr/** wklx,
   deny @{PROC}/fs/** wklx,
   deny @{PROC}/timer_stats rwklx,
   deny @{PROC}/latency_stats rwklx,
@@ -37,8 +90,6 @@ profile docker-default flags=(attach_disconnected,mediate_deleted,namespace_rela
   deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
   deny @{PROC}/sys/kernel/*/** wklx,
 
-  deny mount,
-
   deny /sys/[^f]*/** wklx,
   deny /sys/f[^s]*/** wklx,
   deny /sys/fs/[^c]*/** wklx,

diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,49 @@
+
+
+#include <tunables/global>
+
+
+profile docker-default flags=(attach_disconnected,mediate_deleted,namespace_relative) {
+
+  #include <abstractions/base>
+
+  network,
+  file,
+
+  allow capability net_raw,
+  allow capability net_bind_service,
+  allow capability audit_write,
+  allow capability dac_override,
+  allow capability setfcap,
+  allow capability setpcap,
+  allow capability setgid,
+  allow capability setuid,
+  allow capability mknod,
+  allow capability fowner,
+  allow capability fsetid,
+  allow capability kill,
+  allow capability sys_chroot,
+
+  deny @{PROC}/*/attr/** wklx,
+  deny @{PROC}/fs/** wklx,
+  deny @{PROC}/timer_stats rwklx,
+  deny @{PROC}/latency_stats rwklx,
+  deny @{PROC}/[0-9]*/attr/** wklx,
+  deny @{PROC}/sys/fs/** wklx,
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/kcore rwklx,
+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+  deny @{PROC}/sys/kernel/*/** wklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+}