1. docker
  2. Commit 6079d9d6a3b63fa8d9aa7a3981c6c37cc435bccb
Browse code

Policy extensions for user namespaces and docker exec

A few additions to the policy when running with user namespaces enabled
and when running 'docker exec'.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

Stefan Berger authored on 2015/10/12 23:41:18
Showing 1 changed files
contrib/apparmor/template.go
History View file @ 6079d9d
... ... 
@@ -33,14 +33,19 @@ profile /usr/bin/docker (attach_disconnected, complain) {
33 33 
   @{DOCKER_GRAPH_PATH}/linkgraph.db k,
34 34 
   @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
35 35 
   @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
36 
+  @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k,
36 37
37 38 
   # For non-root client use:
38 39 
   /dev/urandom r,
40 
+  /dev/null rw,
41 
+  /dev/pts/[0-9]* rw,
39 42 
   /run/docker.sock rw,
40 43 
   /proc/** r,
44 
+  /proc/[0-9]*/attr/exec w,
41 45 
   /sys/kernel/mm/hugepages/ r,
42 46 
   /etc/localtime r,
43 47 
   /etc/ld.so.cache r,
48 
+  /etc/passwd r,
44 49
45 50 
 {{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
46 51 
   ptrace peer=@{profile_name},