docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14864 from ewindisch/apparmor-engine-policy 

Add AppArmor policy for the docker binary
This commit is contained in:
Jessie Frazelle 2015-07-22 13:56:33 -07:00
parent 80fec1dbaf 39dae54a3f
commit a7d8450312
3 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
contrib/apparmor/docker-engine Normal file
View File

@ -0,0 +1,71 @@
@{DOCKER_GRAPH_PATH}=/var/lib/docker
profile /usr/bin/docker (attach_disconnected) {
# Prevent following links to these files during container setup.
deny /etc/** mkl,
deny /dev/** kl,
deny /sys/** mkl,
deny /proc/** mkl,
mount -> @{DOCKER_GRAPH_PATH}/**,
mount -> /,
mount -> /proc/**,
mount -> /sys/**,
mount -> /run/docker/netns/**,
umount,
pivot_root,
signal (receive) peer=@{profile_name},
signal (receive) peer=unconfined,
signal (send),
ipc rw,
network,
capability,
file,
ptrace peer=@{profile_name},
/usr/bin/docker pix,
/sbin/xtables-multi rCix,
/sbin/iptables rCx,
/sbin/modprobe rCx,
/sbin/auplink rCx,
/usr/bin/xz rCx,
# Transitions
change_profile -> docker-*,
change_profile -> unconfined,
profile /sbin/iptables {
signal (receive) peer=/usr/bin/docker,
capability net_admin,
}
profile /sbin/auplink flags=(attach_disconnected) {
signal (receive) peer=/usr/bin/docker,
capability sys_admin,
capability dac_override,
@{DOCKER_GRAPH_PATH}/aufs/** rw,
# For user namespaces:
@{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
# The following may be removed via delegates
/sys/fs/aufs/** r,
/lib/** r,
/apparmor/.null r,
/dev/null rw,
/etc/ld.so.cache r,
/sbin/auplink rm,
/proc/fs/aufs/** rw,
/proc/[0-9]*/mounts rw,
}
profile /sbin/modprobe {
signal (receive) peer=/usr/bin/docker,
capability sys_module,
file,
}
# xz works via pipes, so we do not need access to the filesystem.
profile /usr/bin/xz {
signal (receive) peer=/usr/bin/docker,
}
}

1
hack/make/.build-deb/rules
View File

@ -34,6 +34,7 @@ override_dh_installudev:
override_dh_install: override_dh_install:
dh_apparmor --profile-name=docker -pdocker-engine dh_apparmor --profile-name=docker -pdocker-engine
dh_apparmor --profile-name=docker-engine -pdocker-engine
%: %:
dh $@ --with=bash-completion $(shell command -v dh_systemd_enable > /dev/null 2>&1 && echo --with=systemd) dh $@ --with=bash-completion $(shell command -v dh_systemd_enable > /dev/null 2>&1 && echo --with=systemd)

2
hack/make/ubuntu
View File

@ -75,6 +75,7 @@ bundle_ubuntu() {
# Include contributed apparmor policy # Include contributed apparmor policy
mkdir -p "$DIR/etc/apparmor.d/" mkdir -p "$DIR/etc/apparmor.d/"
cp contrib/apparmor/docker "$DIR/etc/apparmor.d/" cp contrib/apparmor/docker "$DIR/etc/apparmor.d/"
cp contrib/apparmor/docker-engine "$DIR/etc/apparmor.d/"
# Copy the binary # Copy the binary
# This will fail if the binary bundle hasn't been built # This will fail if the binary bundle hasn't been built
@ -95,6 +96,7 @@ fi
if ( aa-status --enabled ); then if ( aa-status --enabled ); then
/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker /sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker
/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker-engine
fi fi
if ! { [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; }; then if ! { [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; }; then