d8dfun/virtual-kubelet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Ria Bhatia
2017-12-04 13:32:57 -06:00
committed by Erik St. Martin
commit 0075e5b0f3
9056 changed files with 2523100 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
vendor/github.com/hyperhq/hypercli/contrib/apparmor/main.go generated vendored Normal file
View File

@@ -0,0 +1,58 @@
package main
import (
"fmt"
"log"
"os"
"path"
"text/template"
"github.com/docker/docker/pkg/aaparser"
)
type profileData struct {
MajorVersion int
MinorVersion int
}
func main() {
if len(os.Args) < 2 {
log.Fatal("pass a filename to save the profile in.")
}
// parse the arg
apparmorProfilePath := os.Args[1]
majorVersion, minorVersion, err := aaparser.GetVersion()
if err != nil {
log.Fatal(err)
}
data := profileData{
MajorVersion: majorVersion,
MinorVersion: minorVersion,
}
fmt.Printf("apparmor_parser is of version %+v\n", data)
// parse the template
compiled, err := template.New("apparmor_profile").Parse(dockerProfileTemplate)
if err != nil {
log.Fatalf("parsing template failed: %v", err)
}
// make sure /etc/apparmor.d exists
if err := os.MkdirAll(path.Dir(apparmorProfilePath), 0755); err != nil {
log.Fatal(err)
}
f, err := os.OpenFile(apparmorProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
if err != nil {
log.Fatal(err)
}
defer f.Close()
if err := compiled.Execute(f, data); err != nil {
log.Fatalf("executing template failed: %v", err)
}
fmt.Printf("created apparmor profile for version %+v at %q\n", data, apparmorProfilePath)
}

268
vendor/github.com/hyperhq/hypercli/contrib/apparmor/template.go generated vendored Normal file
View File

@@ -0,0 +1,268 @@
package main
const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker
profile /usr/bin/docker (attach_disconnected, complain) {
# Prevent following links to these files during container setup.
deny /etc/** mkl,
deny /dev/** kl,
deny /sys/** mkl,
deny /proc/** mkl,
mount -> @{DOCKER_GRAPH_PATH}/**,
mount -> /,
mount -> /proc/**,
mount -> /sys/**,
mount -> /run/docker/netns/**,
mount -> /.pivot_root[0-9]*/,
/ r,
umount,
pivot_root,
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
signal (receive) peer=@{profile_name},
signal (receive) peer=unconfined,
signal (send),
{{end}}{{end}}
network,
capability,
owner /** rw,
@{DOCKER_GRAPH_PATH}/** rwl,
@{DOCKER_GRAPH_PATH}/linkgraph.db k,
@{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
@{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
@{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k,
# For non-root client use:
/dev/urandom r,
/dev/null rw,
/dev/pts/[0-9]* rw,
/run/docker.sock rw,
/proc/** r,
/proc/[0-9]*/attr/exec w,
/sys/kernel/mm/hugepages/ r,
/etc/localtime r,
/etc/ld.so.cache r,
/etc/passwd r,
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
ptrace peer=@{profile_name},
ptrace (read) peer=docker-default,
deny ptrace (trace) peer=docker-default,
deny ptrace peer=/usr/bin/docker///bin/ps,
{{end}}{{end}}
/usr/lib/** rm,
/lib/** rm,
/usr/bin/docker pix,
/sbin/xtables-multi rCx,
/sbin/iptables rCx,
/sbin/modprobe rCx,
/sbin/auplink rCx,
/sbin/mke2fs rCx,
/sbin/tune2fs rCx,
/sbin/blkid rCx,
/bin/kmod rCx,
/usr/bin/xz rCx,
/bin/ps rCx,
/bin/tar rCx,
/bin/cat rCx,
/sbin/zfs rCx,
/sbin/apparmor_parser rCx,
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
# Transitions
change_profile -> docker-*,
change_profile -> unconfined,
{{end}}{{end}}
profile /bin/cat (complain) {
/etc/ld.so.cache r,
/lib/** rm,
/dev/null rw,
/proc r,
/bin/cat mr,
# For reading in 'docker stats':
/proc/[0-9]*/net/dev r,
}
profile /bin/ps (complain) {
/etc/ld.so.cache r,
/etc/localtime r,
/etc/passwd r,
/etc/nsswitch.conf r,
/lib/** rm,
/proc/[0-9]*/** r,
/dev/null rw,
/bin/ps mr,
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
# We don't need ptrace so we'll deny and ignore the error.
deny ptrace (read, trace),
{{end}}{{end}}
# Quiet dac_override denials
deny capability dac_override,
deny capability dac_read_search,
deny capability sys_ptrace,
/dev/tty r,
/proc/stat r,
/proc/cpuinfo r,
/proc/meminfo r,
/proc/uptime r,
/sys/devices/system/cpu/online r,
/proc/sys/kernel/pid_max r,
/proc/ r,
/proc/tty/drivers r,
}
profile /sbin/iptables (complain) {
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
signal (receive) peer=/usr/bin/docker,
{{end}}{{end}}
capability net_admin,
}
profile /sbin/auplink flags=(attach_disconnected, complain) {
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
signal (receive) peer=/usr/bin/docker,
{{end}}{{end}}
capability sys_admin,
capability dac_override,
@{DOCKER_GRAPH_PATH}/aufs/** rw,
@{DOCKER_GRAPH_PATH}/tmp/** rw,
# For user namespaces:
@{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
/sys/fs/aufs/** r,
/lib/** rm,
/apparmor/.null r,
/dev/null rw,
/etc/ld.so.cache r,
/sbin/auplink rm,
/proc/fs/aufs/** rw,
/proc/[0-9]*/mounts rw,
}
profile /sbin/modprobe /bin/kmod (complain) {
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
signal (receive) peer=/usr/bin/docker,
{{end}}{{end}}
capability sys_module,
/etc/ld.so.cache r,
/lib/** rm,
/dev/null rw,
/apparmor/.null rw,
/sbin/modprobe rm,
/bin/kmod rm,
/proc/cmdline r,
/sys/module/** r,
/etc/modprobe.d{/,/**} r,
}
# xz works via pipes, so we do not need access to the filesystem.
profile /usr/bin/xz (complain) {
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
signal (receive) peer=/usr/bin/docker,
{{end}}{{end}}
/etc/ld.so.cache r,
/lib/** rm,
/usr/bin/xz rm,
deny /proc/** rw,
deny /sys/** rw,
}
profile /sbin/xtables-multi (attach_disconnected, complain) {
/etc/ld.so.cache r,
/lib/** rm,
/sbin/xtables-multi rm,
/apparmor/.null w,
/dev/null rw,
/proc r,
capability net_raw,
capability net_admin,
network raw,
}
profile /sbin/zfs (attach_disconnected, complain) {
file,
capability,
}
profile /sbin/mke2fs (complain) {
/sbin/mke2fs rm,
/lib/** rm,
/apparmor/.null w,
/etc/ld.so.cache r,
/etc/mke2fs.conf r,
/etc/mtab r,
/dev/dm-* rw,
/dev/urandom r,
/dev/null rw,
/proc/swaps r,
/proc/[0-9]*/mounts r,
}
profile /sbin/tune2fs (complain) {
/sbin/tune2fs rm,
/lib/** rm,
/apparmor/.null w,
/etc/blkid.conf r,
/etc/mtab r,
/etc/ld.so.cache r,
/dev/null rw,
/dev/.blkid.tab r,
/dev/dm-* rw,
/proc/swaps r,
/proc/[0-9]*/mounts r,
}
profile /sbin/blkid (complain) {
/sbin/blkid rm,
/lib/** rm,
/apparmor/.null w,
/etc/ld.so.cache r,
/etc/blkid.conf r,
/dev/null rw,
/dev/.blkid.tab rl,
/dev/.blkid.tab* rwl,
/dev/dm-* r,
/sys/devices/virtual/block/** r,
capability mknod,
mount -> @{DOCKER_GRAPH_PATH}/**,
}
profile /sbin/apparmor_parser (complain) {
/sbin/apparmor_parser rm,
/lib/** rm,
/etc/ld.so.cache r,
/etc/apparmor/** r,
/etc/apparmor.d/** r,
/etc/apparmor.d/cache/** w,
/dev/null rw,
/sys/kernel/security/apparmor/** r,
/sys/kernel/security/apparmor/.replace w,
/proc/[0-9]*/mounts r,
/proc/sys/kernel/osrelease r,
/proc r,
capability mac_admin,
}
}`