container-base.in revision 4845c17aff570c25e05c5347dfdcd577cb108d47
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa network,
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa capability,
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa file,
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa umount,
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa
7c7a19761235efff584ee65a1c6dc4aa1735ff64Eugen Kuksa # dbus, signal, ptrace and unix are only supported by recent apparmor
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa # versions. Comment them if the apparmor parser doesn't recognize them.
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa # This also needs additional rules to reach outside of the container via
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa # DBus, so just let all of DBus within the container.
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa dbus,
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa # Allow us to receive signals from anywhere. Note: if per-container profiles
696ecfbf968bc780c60af3e5a01691be7fa6792bEugen Kuksa # are supported, for container isolation this should be changed to something
# like:
# signal (receive) peer=unconfined,
# signal (receive) peer=/usr/bin/lxc-start,
signal (receive),
# Allow us to send signals to ourselves
signal peer=@{profile_name},
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace ourselves
ptrace peer=@{profile_name},
# Allow receive via unix sockets from anywhere. Note: if per-container
# profiles are supported, for container isolation this should be changed to
# something like:
# unix (receive) peer=(label=unconfined),
unix (receive),
# Allow all unix in the container
unix peer=(label=@{profile_name}),
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
deny mount options=(ro, remount, silent) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow hugetlbfs mounts everywhere
mount fstype=hugetlbfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# allow bind mounts of /run/{,lock} to /var/run/{,lock}
mount options=(rw, bind) /run/ -> /var/run/,
mount options=(rw, bind) /run/lock/ -> /var/lock/,
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,