root@test:/tmp# cat apparmor-profile-docker-default
#include <tunables/global>
profile docker-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network,
capability,
file,
umount,
# Host (privileged) processes may send signals to container processes.
signal (receive) peer=unconfined,
# dockerd may send signals to container processes (for "docker kill").
signal (receive) peer=unconfined
,
# Container processes may send signals amongst themselves.
signal (send,receive) peer=docker-default,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/kcore rwklx,
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/** rwklx,
deny /sys/kernel/security/** rwklx,
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read,tracedby,readby) peer=docker-default,
}
如何使用 AppArmor 限制应用的权限-腾讯云开发者社区-腾讯云 (tencent.com)
使用 AppArmor 限制容器对资源的访问 | Kubernetes
runC CVE-2019-16884-欺骗AppArmor分析及其思考_proc_latest_参考 (sohu.com)
https://cloud.google.com/container-optimized-os/docs/how-to/secure-apparmorhttps://stackoverflow.com/questions/39308135/where-is-dockers-apparmor-profile
https://gist.github.com/dalguete/19a9d984e8a749eefaab7ec9aea6be01https://gitlab.com/apparmor/apparmor/-/wikis/QuickProfileLanguage
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/apparmorQuickProfileLanguage · Wiki · AppArmor / apparmor · GitLab
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
