From 1802b1b622b60fbea4dd8eef0344643e0ef100a9 Mon Sep 17 00:00:00 2001
From: jerome <jerome@xlinfo.fr>
Date: Mon, 17 Nov 2025 01:04:51 +0100
Subject: commit initial

---
 docker-default | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100755 docker-default

(limited to 'docker-default')

diff --git a/docker-default b/docker-default
new file mode 100755
index 0000000..56a9507
--- /dev/null
+++ b/docker-default
@@ -0,0 +1,29 @@
+#include <tunables/global>
+
+
+profile docker-default flags=(attach_disconnected,mediate_deleted) {
+
+  #include <abstractions/base>
+
+
+  network,
+  capability,
+  file,
+  umount,
+
+  deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/kcore rwklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+}
-- 
cgit v1.2.3