commit initialHEAD master

author: jerome <jerome@xlinfo.fr> 2025-11-17 01:04:51 +0100
committer: jerome <jerome@xlinfo.fr> 2025-11-17 01:04:51 +0100
commit: 1802b1b622b60fbea4dd8eef0344643e0ef100a9 (patch)
tree: 5c0fd57b1f528dff9d5cfb7432b83cbb98d7cc92 /docker-default
download: devsecops-master.tar.gz
devsecops-master.zip
1 files changed, 29 insertions, 0 deletions
diff --git a/docker-default b/docker-default
new file mode 100755
index 0000000..56a9507
--- /dev/null
+++ b/docker-default
@@ -0,0 +1,29 @@
+#include <tunables/global>
+
+
+profile docker-default flags=(attach_disconnected,mediate_deleted) {
+
+  #include <abstractions/base>
+
+
+  network,
+  capability,
+  file,
+  umount,
+
+  deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/kcore rwklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+}
author	jerome <jerome@xlinfo.fr>	2025-11-17 01:04:51 +0100
committer	jerome <jerome@xlinfo.fr>	2025-11-17 01:04:51 +0100
commit	1802b1b622b60fbea4dd8eef0344643e0ef100a9 (patch)
tree	5c0fd57b1f528dff9d5cfb7432b83cbb98d7cc92 /docker-default
download	devsecops-master.tar.gz devsecops-master.zip