]> git.proxmox.com Git - mirror_lxc.git/blob - config/apparmor/abstractions/container-base
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Properly update the generated apparmor profiles
[mirror_lxc.git] / config / apparmor / abstractions / container-base
1 network,
2 capability,
3 file,
4 umount,
5
6 # dbus, signal, ptrace and unix are only supported by recent apparmor
7 # versions. Comment them if the apparmor parser doesn't recognize them.
8
9 # This also needs additional rules to reach outside of the container via
10 # DBus, so just let all of DBus within the container.
11 dbus,
12
13 # Allow us to receive signals from anywhere. Note: if per-container profiles
14 # are supported, for container isolation this should be changed to something
15 # like:
16 # signal (receive) peer=unconfined,
17 # signal (receive) peer=/usr/bin/lxc-start,
18 signal (receive),
19
20 # Allow us to send signals to ourselves
21 signal peer=@{profile_name},
22
23 # Allow other processes to read our /proc entries, futexes, perf tracing and
24 # kcmp for now (they will need 'read' in the first place). Administrators can
25 # override with:
26 # deny ptrace (readby) ...
27 ptrace (readby),
28
29 # Allow other processes to trace us by default (they will need 'trace' in
30 # the first place). Administrators can override with:
31 # deny ptrace (tracedby) ...
32 ptrace (tracedby),
33
34 # Allow us to ptrace ourselves
35 ptrace peer=@{profile_name},
36
37 # Allow receive via unix sockets from anywhere. Note: if per-container
38 # profiles are supported, for container isolation this should be changed to
39 # something like:
40 # unix (receive) peer=(label=unconfined),
41 unix (receive),
42
43 # Allow all unix in the container
44 unix peer=(label=@{profile_name}),
45
46 # ignore DENIED message on / remount
47 deny mount options=(ro, remount) -> /,
48 deny mount options=(ro, remount, silent) -> /,
49
50 # allow tmpfs mounts everywhere
51 mount fstype=tmpfs,
52
53 # allow hugetlbfs mounts everywhere
54 mount fstype=hugetlbfs,
55
56 # allow mqueue mounts everywhere
57 mount fstype=mqueue,
58
59 # allow fuse mounts everywhere
60 mount fstype=fuse.*,
61
62 # allow bind mount of /lib/init/fstab for lxcguest
63 mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
64
65 # allow bind mounts of /run/{,lock} to /var/run/{,lock}
66 mount options=(rw, bind) /run/ -> /var/run/,
67 mount options=(rw, bind) /run/lock/ -> /var/lock/,
68
69 # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
70 mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
71 deny @{PROC}/sys/fs/** wklx,
72
73 # allow efivars to be mounted, writing to it will be blocked though
74 mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
75
76 # block some other dangerous paths
77 deny @{PROC}/kcore rwklx,
78 deny @{PROC}/kmem rwklx,
79 deny @{PROC}/mem rwklx,
80 deny @{PROC}/sysrq-trigger rwklx,
81
82 # deny writes in /sys except for /sys/fs/cgroup, also allow
83 # fusectl, securityfs and debugfs to be mounted there (read-only)
84 mount fstype=fusectl -> /sys/fs/fuse/connections/,
85 mount fstype=securityfs -> /sys/kernel/security/,
86 mount fstype=debugfs -> /sys/kernel/debug/,
87 deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
88 mount fstype=proc -> /proc/,
89 mount fstype=sysfs -> /sys/,
90 mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
91 deny /sys/firmware/efi/efivars/** rwklx,
92 deny /sys/kernel/security/** rwklx,
93 mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
94 mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
95
96 # generated by: lxc-generate-aa-rules.py container-rules.base
97 deny /proc/sys/[^kn]*{,/**} wklx,
98 deny /proc/sys/k[^e]*{,/**} wklx,
99 deny /proc/sys/ke[^r]*{,/**} wklx,
100 deny /proc/sys/ker[^n]*{,/**} wklx,
101 deny /proc/sys/kern[^e]*{,/**} wklx,
102 deny /proc/sys/kerne[^l]*{,/**} wklx,
103 deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
104 deny /proc/sys/kernel/d[^o]*{,/**} wklx,
105 deny /proc/sys/kernel/do[^m]*{,/**} wklx,
106 deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
107 deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
108 deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
109 deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
110 deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
111 deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
112 deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
113 deny /proc/sys/kernel/domainname?*{,/**} wklx,
114 deny /proc/sys/kernel/h[^o]*{,/**} wklx,
115 deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
116 deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
117 deny /proc/sys/kernel/host[^n]*{,/**} wklx,
118 deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
119 deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
120 deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
121 deny /proc/sys/kernel/hostname?*{,/**} wklx,
122 deny /proc/sys/kernel/m[^s]*{,/**} wklx,
123 deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
124 deny /proc/sys/kernel/msg*/** wklx,
125 deny /proc/sys/kernel/s[^he]*{,/**} wklx,
126 deny /proc/sys/kernel/se[^m]*{,/**} wklx,
127 deny /proc/sys/kernel/sem*/** wklx,
128 deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
129 deny /proc/sys/kernel/shm*/** wklx,
130 deny /proc/sys/kernel?*{,/**} wklx,
131 deny /proc/sys/n[^e]*{,/**} wklx,
132 deny /proc/sys/ne[^t]*{,/**} wklx,
133 deny /proc/sys/net?*{,/**} wklx,
134 deny /sys/[^fdc]*{,/**} wklx,
135 deny /sys/c[^l]*{,/**} wklx,
136 deny /sys/cl[^a]*{,/**} wklx,
137 deny /sys/cla[^s]*{,/**} wklx,
138 deny /sys/clas[^s]*{,/**} wklx,
139 deny /sys/class/[^n]*{,/**} wklx,
140 deny /sys/class/n[^e]*{,/**} wklx,
141 deny /sys/class/ne[^t]*{,/**} wklx,
142 deny /sys/class/net?*{,/**} wklx,
143 deny /sys/class?*{,/**} wklx,
144 deny /sys/d[^e]*{,/**} wklx,
145 deny /sys/de[^v]*{,/**} wklx,
146 deny /sys/dev[^i]*{,/**} wklx,
147 deny /sys/devi[^c]*{,/**} wklx,
148 deny /sys/devic[^e]*{,/**} wklx,
149 deny /sys/device[^s]*{,/**} wklx,
150 deny /sys/devices/[^v]*{,/**} wklx,
151 deny /sys/devices/v[^i]*{,/**} wklx,
152 deny /sys/devices/vi[^r]*{,/**} wklx,
153 deny /sys/devices/vir[^t]*{,/**} wklx,
154 deny /sys/devices/virt[^u]*{,/**} wklx,
155 deny /sys/devices/virtu[^a]*{,/**} wklx,
156 deny /sys/devices/virtua[^l]*{,/**} wklx,
157 deny /sys/devices/virtual/[^n]*{,/**} wklx,
158 deny /sys/devices/virtual/n[^e]*{,/**} wklx,
159 deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
160 deny /sys/devices/virtual/net?*{,/**} wklx,
161 deny /sys/devices/virtual?*{,/**} wklx,
162 deny /sys/devices?*{,/**} wklx,
163 deny /sys/f[^s]*{,/**} wklx,
164 deny /sys/fs/[^c]*{,/**} wklx,
165 deny /sys/fs/c[^g]*{,/**} wklx,
166 deny /sys/fs/cg[^r]*{,/**} wklx,
167 deny /sys/fs/cgr[^o]*{,/**} wklx,
168 deny /sys/fs/cgro[^u]*{,/**} wklx,
169 deny /sys/fs/cgrou[^p]*{,/**} wklx,
170 deny /sys/fs/cgroup?*{,/**} wklx,
171 deny /sys/fs?*{,/**} wklx,
LXC mirror