felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-11-03 21:40:01 +00:00
parent fabddee9d6
commit a90cdbe879
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
23 changed files with 97 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/virt/dockerd
View file

@ -18,11 +18,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability mknod,
capability net_admin,
capability sys_admin,
capability sys_chroot,
capability kill,
capability sys_ptrace,
network inet dgram,
network inet6 dgram,
@ -42,6 +43,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
ptrace (read) peer=docker-*,
ptrace (read) peer=unconfined,
signal (send) set=kill peer=docker-*,
@ -62,7 +64,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
# TODO: should be in a sub profile started with pivot_root, not supported yet.
/{,**} rw,
deny /boot/{,**} rw,
deny /dev/{,**} rw,
deny /media/{,**} rw,
deny /mnt/{,**} rw,