diff options
Diffstat (limited to 'docker-default')
| -rwxr-xr-x | docker-default | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/docker-default b/docker-default new file mode 100755 index 0000000..56a9507 --- /dev/null +++ b/docker-default @@ -0,0 +1,29 @@ +#include <tunables/global> + + +profile docker-default flags=(attach_disconnected,mediate_deleted) { + + #include <abstractions/base> + + + network, + capability, + file, + umount, + + deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + deny @{PROC}/kcore rwklx, + + deny mount, + + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, +} |