From ad595afd0e0d8b371c1e5cbcd5c0ca9b892baddf Mon Sep 17 00:00:00 2001 From: Leon Morten Richter Date: Sun, 22 Jan 2023 15:44:27 +0100 Subject: [PATCH] adds AppArmor profile --- README.md | 10 +++++ docker-armor | 119 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 129 insertions(+) create mode 100644 docker-armor diff --git a/README.md b/README.md index 43def0c..7268bd3 100644 --- a/README.md +++ b/README.md @@ -132,6 +132,16 @@ server { ``` +## AppArmor + +Under `./docker-armor` you can find an AppArmor profile for this stack. To use it, do the following: + +``` +cp ./docker-armor /etc/apparmor.d/docker-armor +apparmor_parser -r -W /etc/apparmor.d/docker-armor +docker-compose up -d +``` + ## FAQ ### Why are my graphs empty? diff --git a/docker-armor b/docker-armor new file mode 100644 index 0000000..e9857f7 --- /dev/null +++ b/docker-armor @@ -0,0 +1,119 @@ + +#include + + +profile docker-nginx flags=(attach_disconnected,mediate_deleted) { + #include + + # allow basic network services + network inet tcp, + network inet udp, + network inet icmp, + + # block raw sockets + deny network raw, + deny network packet, + + file, + umount, + + # make paths read only <=> deny write/link permission + deny /bin/** wl, + deny /boot/** wl, + deny /dev/** wl, + deny /etc/** wl, + deny /home/** wl, + deny /lib/** wl, + deny /lib64/** wl, + deny /media/** wl, + deny /mnt/** wl, + deny /opt/** wl, + deny /proc/** wl, + deny /root/** wl, + deny /sbin/** wl, + deny /srv/** wl, + deny /tmp/** wl, + deny /sys/** wl, + deny /usr/** wl, + + # allowed process(es) + /usr/sbin/nginx ix, + + # allowed capabilities + capability chown, + capability dac_override, + capability setuid, + capability setgid, + capability net_bind_service, + + # Default docker stuff + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + deny @{PROC}/kcore rwklx, + deny mount, + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, +} + +profile docker-mikrotik-monitoring flags=(attach_disconnected,mediate_deleted) { + #include + + # allow basic network services + network inet tcp, + network inet udp, + + # block raw sockets + deny network raw, + deny network packet, + + file, + umount, + + /tmp/** wl, + + # make paths read only <=> deny write/link permission + deny /bin/** wl, + deny /boot/** wl, + deny /dev/[^shm]** wl, + deny /etc/** wl, + deny /home/** wl, + deny /lib/** wl, + deny /lib64/** wl, + deny /media/** wl, + deny /mnt/** wl, + deny /opt/** wl, + deny /proc/** wl, + deny /root/** wl, + deny /sbin/** wl, + deny /srv/** wl, + deny /sys/** wl, + deny /usr/** wl, + + # Default docker stuff + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + deny @{PROC}/kcore rwklx, + deny mount, + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, +}