1. docker
  2. Commit 39dae54a3f40035b1b7e5ca86c53d05dec832ed2
Browse code

Add AppArmor policy for the engine

Wraps the engine itself with an AppArmor policy.

This restricts what may be done by applications
we call out to, such as 'xz'.

Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.

Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.

Signed-off-by: Eric Windisch <eric@windisch.us>

Eric Windisch authored on 2015/05/12 22:44:47
Showing 3 changed files
contrib/apparmor/docker-engine
History View file @ 39dae54
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,71 @@
0 
+@{DOCKER_GRAPH_PATH}=/var/lib/docker
1 
+
2 
+profile /usr/bin/docker (attach_disconnected) {
3 
+  # Prevent following links to these files during container setup.
4 
+  deny /etc/** mkl,
5 
+  deny /dev/** kl,
6 
+  deny /sys/** mkl,
7 
+  deny /proc/** mkl,
8 
+
9 
+  mount -> @{DOCKER_GRAPH_PATH}/**,
10 
+  mount -> /,
11 
+  mount -> /proc/**,
12 
+  mount -> /sys/**,
13 
+  mount -> /run/docker/netns/**,
14 
+
15 
+  umount,
16 
+  pivot_root,
17 
+  signal (receive) peer=@{profile_name},
18 
+  signal (receive) peer=unconfined,
19 
+  signal (send),
20 
+  ipc rw,
21 
+  network,
22 
+  capability,
23 
+  file,
24 
+
25 
+  ptrace peer=@{profile_name},
26 
+
27 
+  /usr/bin/docker pix,
28 
+  /sbin/xtables-multi rCix,
29 
+  /sbin/iptables rCx,
30 
+  /sbin/modprobe rCx,
31 
+  /sbin/auplink rCx,
32 
+  /usr/bin/xz rCx,
33 
+
34 
+  # Transitions
35 
+  change_profile -> docker-*,
36 
+  change_profile -> unconfined,
37 
+
38 
+  profile /sbin/iptables {
39 
+   signal (receive) peer=/usr/bin/docker,
40 
+   capability net_admin,
41 
+  }
42 
+  profile /sbin/auplink flags=(attach_disconnected) {
43 
+   signal (receive) peer=/usr/bin/docker,
44 
+   capability sys_admin,
45 
+   capability dac_override,
46 
+
47 
+   @{DOCKER_GRAPH_PATH}/aufs/** rw,
48 
+   # For user namespaces:
49 
+   @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
50 
+
51 
+   # The following may be removed via delegates
52 
+   /sys/fs/aufs/** r,
53 
+   /lib/** r,
54 
+   /apparmor/.null r,
55 
+   /dev/null rw,
56 
+   /etc/ld.so.cache r,
57 
+   /sbin/auplink rm,
58 
+   /proc/fs/aufs/** rw,
59 
+   /proc/[0-9]*/mounts rw,
60 
+  }
61 
+  profile /sbin/modprobe {
62 
+   signal (receive) peer=/usr/bin/docker,
63 
+   capability sys_module,
64 
+   file,
65 
+  }
66 
+  # xz works via pipes, so we do not need access to the filesystem.
67 
+  profile /usr/bin/xz {
68 
+   signal (receive) peer=/usr/bin/docker,
69 
+  }
70 
+}
hack/make/.build-deb/rules
History View file @ 39dae54
... ... 
@@ -34,6 +34,7 @@ override_dh_installudev:
34 34
35 35 
 override_dh_install:
36 36 
 	dh_apparmor --profile-name=docker -pdocker-engine
37 
+	dh_apparmor --profile-name=docker-engine -pdocker-engine
37 38
38 39 
 %:
39 40 
 	dh $@ --with=bash-completion $(shell command -v dh_systemd_enable > /dev/null 2>&1 && echo --with=systemd)
hack/make/ubuntu
History View file @ 39dae54
... ... 
@@ -75,6 +75,7 @@ bundle_ubuntu() {
75 75 
 	# Include contributed apparmor policy
76 76 
 	mkdir -p "$DIR/etc/apparmor.d/"
77 77 
 	cp contrib/apparmor/docker "$DIR/etc/apparmor.d/"
78 
+	cp contrib/apparmor/docker-engine "$DIR/etc/apparmor.d/"
78 79
79 80 
 	# Copy the binary
80 81 
 	# This will fail if the binary bundle hasn't been built
... ... 
@@ -95,6 +96,7 @@ fi
95 95
96 96 
 if ( aa-status --enabled ); then
97 97 
 	/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker
98 
+	/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker-engine
98 99 
 fi
99 100
100 101 
 if ! { [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; }; then