mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-11-04 20:31:13 +00:00
9265f8ab67
Rework the apparmor lxc profile abstraction to mimic ubuntu's container-default. This profile allows quite a lot, but strives to restrict access to dangerous resources. Removing the explicit authorizations to bash, systemd and cron files, forces them to keep the lxc profile for all applications inside the container. PUx permissions where leading to running systemd (and others tasks) unconfined. Put the generic files, network and capabilities restrictions directly in the TEMPLATE.lxc: this way, users can restrict them on a per container basis.
117 lines
4.1 KiB
Plaintext
117 lines
4.1 KiB
Plaintext
# Last Modified: Fri Feb 7 13:01:36 2014
|
|
|
|
#include <abstractions/base>
|
|
|
|
umount,
|
|
|
|
# ignore DENIED message on / remount
|
|
deny mount options=(ro, remount) -> /,
|
|
|
|
# allow tmpfs mounts everywhere
|
|
mount fstype=tmpfs,
|
|
|
|
# allow mqueue mounts everywhere
|
|
mount fstype=mqueue,
|
|
|
|
# allow fuse mounts everywhere
|
|
mount fstype=fuse.*,
|
|
|
|
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
|
|
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
|
|
deny @{PROC}/sys/fs/** wklx,
|
|
|
|
# allow efivars to be mounted, writing to it will be blocked though
|
|
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
|
|
|
|
# block some other dangerous paths
|
|
deny @{PROC}/sysrq-trigger rwklx,
|
|
deny @{PROC}/mem rwklx,
|
|
deny @{PROC}/kmem rwklx,
|
|
|
|
# deny writes in /sys except for /sys/fs/cgroup, also allow
|
|
# fusectl, securityfs and debugfs to be mounted there (read-only)
|
|
mount fstype=fusectl -> /sys/fs/fuse/connections/,
|
|
mount fstype=securityfs -> /sys/kernel/security/,
|
|
mount fstype=debugfs -> /sys/kernel/debug/,
|
|
mount fstype=proc -> /proc/,
|
|
mount fstype=sysfs -> /sys/,
|
|
deny /sys/firmware/efi/efivars/** rwklx,
|
|
deny /sys/kernel/security/** rwklx,
|
|
|
|
# generated by: lxc-generate-aa-rules.py container-rules.base
|
|
deny /proc/sys/[^kn]*{,/**} wklx,
|
|
deny /proc/sys/k[^e]*{,/**} wklx,
|
|
deny /proc/sys/ke[^r]*{,/**} wklx,
|
|
deny /proc/sys/ker[^n]*{,/**} wklx,
|
|
deny /proc/sys/kern[^e]*{,/**} wklx,
|
|
deny /proc/sys/kerne[^l]*{,/**} wklx,
|
|
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
|
|
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
|
|
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
|
|
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
|
|
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
|
|
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
|
|
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
|
|
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
|
|
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
|
|
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
|
|
deny /proc/sys/kernel/domainname?*{,/**} wklx,
|
|
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
|
|
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
|
|
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
|
|
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
|
|
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
|
|
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
|
|
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
|
|
deny /proc/sys/kernel/hostname?*{,/**} wklx,
|
|
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
|
|
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
|
|
deny /proc/sys/kernel/msg*/** wklx,
|
|
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
|
|
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
|
|
deny /proc/sys/kernel/sem*/** wklx,
|
|
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
|
|
deny /proc/sys/kernel/shm*/** wklx,
|
|
deny /proc/sys/kernel?*{,/**} wklx,
|
|
deny /proc/sys/n[^e]*{,/**} wklx,
|
|
deny /proc/sys/ne[^t]*{,/**} wklx,
|
|
deny /proc/sys/net?*{,/**} wklx,
|
|
deny /sys/[^fdc]*{,/**} wklx,
|
|
deny /sys/c[^l]*{,/**} wklx,
|
|
deny /sys/cl[^a]*{,/**} wklx,
|
|
deny /sys/cla[^s]*{,/**} wklx,
|
|
deny /sys/clas[^s]*{,/**} wklx,
|
|
deny /sys/class/[^n]*{,/**} wklx,
|
|
deny /sys/class/n[^e]*{,/**} wklx,
|
|
deny /sys/class/ne[^t]*{,/**} wklx,
|
|
deny /sys/class/net?*{,/**} wklx,
|
|
deny /sys/class?*{,/**} wklx,
|
|
deny /sys/d[^e]*{,/**} wklx,
|
|
deny /sys/de[^v]*{,/**} wklx,
|
|
deny /sys/dev[^i]*{,/**} wklx,
|
|
deny /sys/devi[^c]*{,/**} wklx,
|
|
deny /sys/devic[^e]*{,/**} wklx,
|
|
deny /sys/device[^s]*{,/**} wklx,
|
|
deny /sys/devices/[^v]*{,/**} wklx,
|
|
deny /sys/devices/v[^i]*{,/**} wklx,
|
|
deny /sys/devices/vi[^r]*{,/**} wklx,
|
|
deny /sys/devices/vir[^t]*{,/**} wklx,
|
|
deny /sys/devices/virt[^u]*{,/**} wklx,
|
|
deny /sys/devices/virtu[^a]*{,/**} wklx,
|
|
deny /sys/devices/virtua[^l]*{,/**} wklx,
|
|
deny /sys/devices/virtual/[^n]*{,/**} wklx,
|
|
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
|
|
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
|
|
deny /sys/devices/virtual/net?*{,/**} wklx,
|
|
deny /sys/devices/virtual?*{,/**} wklx,
|
|
deny /sys/devices?*{,/**} wklx,
|
|
deny /sys/f[^s]*{,/**} wklx,
|
|
deny /sys/fs/[^c]*{,/**} wklx,
|
|
deny /sys/fs/c[^g]*{,/**} wklx,
|
|
deny /sys/fs/cg[^r]*{,/**} wklx,
|
|
deny /sys/fs/cgr[^o]*{,/**} wklx,
|
|
deny /sys/fs/cgro[^u]*{,/**} wklx,
|
|
deny /sys/fs/cgrou[^p]*{,/**} wklx,
|
|
deny /sys/fs/cgroup?*{,/**} wklx,
|
|
deny /sys/fs?*{,/**} wklx,
|