API tools faq
paste
Guest User

Untitled

a guest
Jun 20th, 2020
110
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.89 KB | None | 0 0
raw download clone embed print report
  1. [chris-pc ~]# cat /var/lib/lxd/security/apparmor/profiles/lxd-hlos-arch
  2. #include <tunables/global>
  3. profile "lxd-hlos-arch_</var/lib/lxd>" flags=(attach_disconnected,mediate_deleted) {
  4. ### Base profile
  5. capability,
  6. dbus,
  7. file,
  8. network,
  9. umount,
  10.  
  11. # Hide common denials
  12. deny mount options=(ro, remount) -> /,
  13. deny mount options=(ro, remount, silent) -> /,
  14.  
  15. # Allow normal signal handling
  16. signal (receive),
  17. signal peer=@{profile_name},
  18.  
  19. # Allow normal process handling
  20. ptrace (readby),
  21. ptrace (tracedby),
  22. ptrace peer=@{profile_name},
  23.  
  24. # Handle binfmt
  25. mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  26. deny /proc/sys/fs/binfmt_misc/{,**} rwklx,
  27.  
  28. # Handle cgroupfs
  29. mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
  30.  
  31. # Handle configfs
  32. mount fstype=configfs -> /sys/kernel/config/,
  33. deny /sys/kernel/config/{,**} rwklx,
  34.  
  35. # Handle debugfs
  36. mount fstype=debugfs -> /sys/kernel/debug/,
  37. deny /sys/kernel/debug/{,**} rwklx,
  38.  
  39. # Handle efivarfs
  40. mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
  41. deny /sys/firmware/efi/efivars/{,**} rwklx,
  42.  
  43. # Handle tracefs
  44. mount fstype=tracefs -> /sys/kernel/tracing/,
  45. deny /sys/kernel/tracing/{,**} rwklx,
  46.  
  47. # Handle fuse
  48. mount fstype=fuse,
  49. mount fstype=fuse.*,
  50. mount fstype=fusectl -> /sys/fs/fuse/connections/,
  51.  
  52. # Handle hugetlbfs
  53. mount fstype=hugetlbfs,
  54.  
  55. # Handle mqueue
  56. mount fstype=mqueue,
  57.  
  58. # Handle proc
  59. mount fstype=proc -> /proc/,
  60. deny /proc/bus/** wklx,
  61. deny /proc/kcore rwklx,
  62. deny /proc/sysrq-trigger rwklx,
  63. deny /proc/acpi/** rwklx,
  64. deny /proc/sys/fs/** wklx,
  65.  
  66. # Handle securityfs (access handled separately)
  67. mount fstype=securityfs -> /sys/kernel/security/,
  68.  
  69. # Handle sysfs (access handled below)
  70. mount fstype=sysfs -> /sys/,
  71. mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
  72.  
  73. # Handle tmpfs
  74. mount fstype=tmpfs,
  75.  
  76. # Allow limited modification of mount propagation
  77. mount options=(rw,slave) -> /,
  78. mount options=(rw,rslave) -> /,
  79. mount options=(rw,shared) -> /,
  80. mount options=(rw,rshared) -> /,
  81. mount options=(rw,private) -> /,
  82. mount options=(rw,rprivate) -> /,
  83. mount options=(rw,unbindable) -> /,
  84. mount options=(rw,runbindable) -> /,
  85.  
  86. # Allow various ro-bind-*re*-mounts
  87. mount options=(ro,remount,bind) /[^spd]*{,/**},
  88. mount options=(ro,remount,bind) /d[^e]*{,/**},
  89. mount options=(ro,remount,bind) /de[^v]*{,/**},
  90. mount options=(ro,remount,bind) /dev/.[^l]*{,/**},
  91. mount options=(ro,remount,bind) /dev/.l[^x]*{,/**},
  92. mount options=(ro,remount,bind) /dev/.lx[^c]*{,/**},
  93. mount options=(ro,remount,bind) /dev/.lxc?*{,/**},
  94. mount options=(ro,remount,bind) /dev/[^.]*{,/**},
  95. mount options=(ro,remount,bind) /dev?*{,/**},
  96. mount options=(ro,remount,bind) /p[^r]*{,/**},
  97. mount options=(ro,remount,bind) /pr[^o]*{,/**},
  98. mount options=(ro,remount,bind) /pro[^c]*{,/**},
  99. mount options=(ro,remount,bind) /proc?*{,/**},
  100. mount options=(ro,remount,bind) /s[^y]*{,/**},
  101. mount options=(ro,remount,bind) /sy[^s]*{,/**},
  102. mount options=(ro,remount,bind) /sys?*{,/**},
  103.  
  104. mount options=(ro,remount,bind,nodev) /[^spd]*{,/**},
  105. mount options=(ro,remount,bind,nodev) /d[^e]*{,/**},
  106. mount options=(ro,remount,bind,nodev) /de[^v]*{,/**},
  107. mount options=(ro,remount,bind,nodev) /dev/.[^l]*{,/**},
  108. mount options=(ro,remount,bind,nodev) /dev/.l[^x]*{,/**},
  109. mount options=(ro,remount,bind,nodev) /dev/.lx[^c]*{,/**},
  110. mount options=(ro,remount,bind,nodev) /dev/.lxc?*{,/**},
  111. mount options=(ro,remount,bind,nodev) /dev/[^.]*{,/**},
  112. mount options=(ro,remount,bind,nodev) /dev?*{,/**},
  113. mount options=(ro,remount,bind,nodev) /p[^r]*{,/**},
  114. mount options=(ro,remount,bind,nodev) /pr[^o]*{,/**},
  115. mount options=(ro,remount,bind,nodev) /pro[^c]*{,/**},
  116. mount options=(ro,remount,bind,nodev) /proc?*{,/**},
  117. mount options=(ro,remount,bind,nodev) /s[^y]*{,/**},
  118. mount options=(ro,remount,bind,nodev) /sy[^s]*{,/**},
  119. mount options=(ro,remount,bind,nodev) /sys?*{,/**},
  120.  
  121. mount options=(ro,remount,bind,nodev,nosuid) /[^spd]*{,/**},
  122. mount options=(ro,remount,bind,nodev,nosuid) /d[^e]*{,/**},
  123. mount options=(ro,remount,bind,nodev,nosuid) /de[^v]*{,/**},
  124. mount options=(ro,remount,bind,nodev,nosuid) /dev/.[^l]*{,/**},
  125. mount options=(ro,remount,bind,nodev,nosuid) /dev/.l[^x]*{,/**},
  126. mount options=(ro,remount,bind,nodev,nosuid) /dev/.lx[^c]*{,/**},
  127. mount options=(ro,remount,bind,nodev,nosuid) /dev/.lxc?*{,/**},
  128. mount options=(ro,remount,bind,nodev,nosuid) /dev/[^.]*{,/**},
  129. mount options=(ro,remount,bind,nodev,nosuid) /dev?*{,/**},
  130. mount options=(ro,remount,bind,nodev,nosuid) /p[^r]*{,/**},
  131. mount options=(ro,remount,bind,nodev,nosuid) /pr[^o]*{,/**},
  132. mount options=(ro,remount,bind,nodev,nosuid) /pro[^c]*{,/**},
  133. mount options=(ro,remount,bind,nodev,nosuid) /proc?*{,/**},
  134. mount options=(ro,remount,bind,nodev,nosuid) /s[^y]*{,/**},
  135. mount options=(ro,remount,bind,nodev,nosuid) /sy[^s]*{,/**},
  136. mount options=(ro,remount,bind,nodev,nosuid) /sys?*{,/**},
  137.  
  138. mount options=(ro,remount,bind,noexec) /[^spd]*{,/**},
  139. mount options=(ro,remount,bind,noexec) /d[^e]*{,/**},
  140. mount options=(ro,remount,bind,noexec) /de[^v]*{,/**},
  141. mount options=(ro,remount,bind,noexec) /dev/.[^l]*{,/**},
  142. mount options=(ro,remount,bind,noexec) /dev/.l[^x]*{,/**},
  143. mount options=(ro,remount,bind,noexec) /dev/.lx[^c]*{,/**},
  144. mount options=(ro,remount,bind,noexec) /dev/.lxc?*{,/**},
  145. mount options=(ro,remount,bind,noexec) /dev/[^.]*{,/**},
  146. mount options=(ro,remount,bind,noexec) /dev?*{,/**},
  147. mount options=(ro,remount,bind,noexec) /p[^r]*{,/**},
  148. mount options=(ro,remount,bind,noexec) /pr[^o]*{,/**},
  149. mount options=(ro,remount,bind,noexec) /pro[^c]*{,/**},
  150. mount options=(ro,remount,bind,noexec) /proc?*{,/**},
  151. mount options=(ro,remount,bind,noexec) /s[^y]*{,/**},
  152. mount options=(ro,remount,bind,noexec) /sy[^s]*{,/**},
  153. mount options=(ro,remount,bind,noexec) /sys?*{,/**},
  154.  
  155. mount options=(ro,remount,bind,noexec,nodev) /[^spd]*{,/**},
  156. mount options=(ro,remount,bind,noexec,nodev) /d[^e]*{,/**},
  157. mount options=(ro,remount,bind,noexec,nodev) /de[^v]*{,/**},
  158. mount options=(ro,remount,bind,noexec,nodev) /dev/.[^l]*{,/**},
  159. mount options=(ro,remount,bind,noexec,nodev) /dev/.l[^x]*{,/**},
  160. mount options=(ro,remount,bind,noexec,nodev) /dev/.lx[^c]*{,/**},
  161. mount options=(ro,remount,bind,noexec,nodev) /dev/.lxc?*{,/**},
  162. mount options=(ro,remount,bind,noexec,nodev) /dev/[^.]*{,/**},
  163. mount options=(ro,remount,bind,noexec,nodev) /dev?*{,/**},
  164. mount options=(ro,remount,bind,noexec,nodev) /p[^r]*{,/**},
  165. mount options=(ro,remount,bind,noexec,nodev) /pr[^o]*{,/**},
  166. mount options=(ro,remount,bind,noexec,nodev) /pro[^c]*{,/**},
  167. mount options=(ro,remount,bind,noexec,nodev) /proc?*{,/**},
  168. mount options=(ro,remount,bind,noexec,nodev) /s[^y]*{,/**},
  169. mount options=(ro,remount,bind,noexec,nodev) /sy[^s]*{,/**},
  170. mount options=(ro,remount,bind,noexec,nodev) /sys?*{,/**},
  171.  
  172. mount options=(ro,remount,bind,noatime) /[^spd]*{,/**},
  173. mount options=(ro,remount,bind,noatime) /d[^e]*{,/**},
  174. mount options=(ro,remount,bind,noatime) /de[^v]*{,/**},
  175. mount options=(ro,remount,bind,noatime) /dev/.[^l]*{,/**},
  176. mount options=(ro,remount,bind,noatime) /dev/.l[^x]*{,/**},
  177. mount options=(ro,remount,bind,noatime) /dev/.lx[^c]*{,/**},
  178. mount options=(ro,remount,bind,noatime) /dev/.lxc?*{,/**},
  179. mount options=(ro,remount,bind,noatime) /dev/[^.]*{,/**},
  180. mount options=(ro,remount,bind,noatime) /dev?*{,/**},
  181. mount options=(ro,remount,bind,noatime) /p[^r]*{,/**},
  182. mount options=(ro,remount,bind,noatime) /pr[^o]*{,/**},
  183. mount options=(ro,remount,bind,noatime) /pro[^c]*{,/**},
  184. mount options=(ro,remount,bind,noatime) /proc?*{,/**},
  185. mount options=(ro,remount,bind,noatime) /s[^y]*{,/**},
  186. mount options=(ro,remount,bind,noatime) /sy[^s]*{,/**},
  187. mount options=(ro,remount,bind,noatime) /sys?*{,/**},
  188.  
  189. mount options=(ro,remount,noatime,bind) /[^spd]*{,/**},
  190. mount options=(ro,remount,noatime,bind) /d[^e]*{,/**},
  191. mount options=(ro,remount,noatime,bind) /de[^v]*{,/**},
  192. mount options=(ro,remount,noatime,bind) /dev/.[^l]*{,/**},
  193. mount options=(ro,remount,noatime,bind) /dev/.l[^x]*{,/**},
  194. mount options=(ro,remount,noatime,bind) /dev/.lx[^c]*{,/**},
  195. mount options=(ro,remount,noatime,bind) /dev/.lxc?*{,/**},
  196. mount options=(ro,remount,noatime,bind) /dev/[^.]*{,/**},
  197. mount options=(ro,remount,noatime,bind) /dev?*{,/**},
  198. mount options=(ro,remount,noatime,bind) /p[^r]*{,/**},
  199. mount options=(ro,remount,noatime,bind) /pr[^o]*{,/**},
  200. mount options=(ro,remount,noatime,bind) /pro[^c]*{,/**},
  201. mount options=(ro,remount,noatime,bind) /proc?*{,/**},
  202. mount options=(ro,remount,noatime,bind) /s[^y]*{,/**},
  203. mount options=(ro,remount,noatime,bind) /sy[^s]*{,/**},
  204. mount options=(ro,remount,noatime,bind) /sys?*{,/**},
  205.  
  206. mount options=(ro,remount,bind,nosuid) /[^spd]*{,/**},
  207. mount options=(ro,remount,bind,nosuid) /d[^e]*{,/**},
  208. mount options=(ro,remount,bind,nosuid) /de[^v]*{,/**},
  209. mount options=(ro,remount,bind,nosuid) /dev/.[^l]*{,/**},
  210. mount options=(ro,remount,bind,nosuid) /dev/.l[^x]*{,/**},
  211. mount options=(ro,remount,bind,nosuid) /dev/.lx[^c]*{,/**},
  212. mount options=(ro,remount,bind,nosuid) /dev/.lxc?*{,/**},
  213. mount options=(ro,remount,bind,nosuid) /dev/[^.]*{,/**},
  214. mount options=(ro,remount,bind,nosuid) /dev?*{,/**},
  215. mount options=(ro,remount,bind,nosuid) /p[^r]*{,/**},
  216. mount options=(ro,remount,bind,nosuid) /pr[^o]*{,/**},
  217. mount options=(ro,remount,bind,nosuid) /pro[^c]*{,/**},
  218. mount options=(ro,remount,bind,nosuid) /proc?*{,/**},
  219. mount options=(ro,remount,bind,nosuid) /s[^y]*{,/**},
  220. mount options=(ro,remount,bind,nosuid) /sy[^s]*{,/**},
  221. mount options=(ro,remount,bind,nosuid) /sys?*{,/**},
  222.  
  223. mount options=(ro,remount,bind,nosuid,nodev) /[^spd]*{,/**},
  224. mount options=(ro,remount,bind,nosuid,nodev) /d[^e]*{,/**},
  225. mount options=(ro,remount,bind,nosuid,nodev) /de[^v]*{,/**},
  226. mount options=(ro,remount,bind,nosuid,nodev) /dev/.[^l]*{,/**},
  227. mount options=(ro,remount,bind,nosuid,nodev) /dev/.l[^x]*{,/**},
  228. mount options=(ro,remount,bind,nosuid,nodev) /dev/.lx[^c]*{,/**},
  229. mount options=(ro,remount,bind,nosuid,nodev) /dev/.lxc?*{,/**},
  230. mount options=(ro,remount,bind,nosuid,nodev) /dev/[^.]*{,/**},
  231. mount options=(ro,remount,bind,nosuid,nodev) /dev?*{,/**},
  232. mount options=(ro,remount,bind,nosuid,nodev) /p[^r]*{,/**},
  233. mount options=(ro,remount,bind,nosuid,nodev) /pr[^o]*{,/**},
  234. mount options=(ro,remount,bind,nosuid,nodev) /pro[^c]*{,/**},
  235. mount options=(ro,remount,bind,nosuid,nodev) /proc?*{,/**},
  236. mount options=(ro,remount,bind,nosuid,nodev) /s[^y]*{,/**},
  237. mount options=(ro,remount,bind,nosuid,nodev) /sy[^s]*{,/**},
  238. mount options=(ro,remount,bind,nosuid,nodev) /sys?*{,/**},
  239.  
  240. mount options=(ro,remount,bind,nosuid,noexec) /[^spd]*{,/**},
  241. mount options=(ro,remount,bind,nosuid,noexec) /d[^e]*{,/**},
  242. mount options=(ro,remount,bind,nosuid,noexec) /de[^v]*{,/**},
  243. mount options=(ro,remount,bind,nosuid,noexec) /dev/.[^l]*{,/**},
  244. mount options=(ro,remount,bind,nosuid,noexec) /dev/.l[^x]*{,/**},
  245. mount options=(ro,remount,bind,nosuid,noexec) /dev/.lx[^c]*{,/**},
  246. mount options=(ro,remount,bind,nosuid,noexec) /dev/.lxc?*{,/**},
  247. mount options=(ro,remount,bind,nosuid,noexec) /dev/[^.]*{,/**},
  248. mount options=(ro,remount,bind,nosuid,noexec) /dev?*{,/**},
  249. mount options=(ro,remount,bind,nosuid,noexec) /p[^r]*{,/**},
  250. mount options=(ro,remount,bind,nosuid,noexec) /pr[^o]*{,/**},
  251. mount options=(ro,remount,bind,nosuid,noexec) /pro[^c]*{,/**},
  252. mount options=(ro,remount,bind,nosuid,noexec) /proc?*{,/**},
  253. mount options=(ro,remount,bind,nosuid,noexec) /s[^y]*{,/**},
  254. mount options=(ro,remount,bind,nosuid,noexec) /sy[^s]*{,/**},
  255. mount options=(ro,remount,bind,nosuid,noexec) /sys?*{,/**},
  256.  
  257. mount options=(ro,remount,bind,nosuid,noexec,nodev) /[^spd]*{,/**},
  258. mount options=(ro,remount,bind,nosuid,noexec,nodev) /d[^e]*{,/**},
  259. mount options=(ro,remount,bind,nosuid,noexec,nodev) /de[^v]*{,/**},
  260. mount options=(ro,remount,bind,nosuid,noexec,nodev) /dev/.[^l]*{,/**},
  261. mount options=(ro,remount,bind,nosuid,noexec,nodev) /dev/.l[^x]*{,/**},
  262. mount options=(ro,remount,bind,nosuid,noexec,nodev) /dev/.lx[^c]*{,/**},
  263. mount options=(ro,remount,bind,nosuid,noexec,nodev) /dev/.lxc?*{,/**},
  264. mount options=(ro,remount,bind,nosuid,noexec,nodev) /dev/[^.]*{,/**},
  265. mount options=(ro,remount,bind,nosuid,noexec,nodev) /dev?*{,/**},
  266. mount options=(ro,remount,bind,nosuid,noexec,nodev) /p[^r]*{,/**},
  267. mount options=(ro,remount,bind,nosuid,noexec,nodev) /pr[^o]*{,/**},
  268. mount options=(ro,remount,bind,nosuid,noexec,nodev) /pro[^c]*{,/**},
  269. mount options=(ro,remount,bind,nosuid,noexec,nodev) /proc?*{,/**},
  270. mount options=(ro,remount,bind,nosuid,noexec,nodev) /s[^y]*{,/**},
  271. mount options=(ro,remount,bind,nosuid,noexec,nodev) /sy[^s]*{,/**},
  272. mount options=(ro,remount,bind,nosuid,noexec,nodev) /sys?*{,/**},
  273.  
  274. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /[^spd]*{,/**},
  275. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /d[^e]*{,/**},
  276. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /de[^v]*{,/**},
  277. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /dev/.[^l]*{,/**},
  278. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /dev/.l[^x]*{,/**},
  279. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /dev/.lx[^c]*{,/**},
  280. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /dev/.lxc?*{,/**},
  281. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /dev/[^.]*{,/**},
  282. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /dev?*{,/**},
  283. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /p[^r]*{,/**},
  284. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /pr[^o]*{,/**},
  285. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /pro[^c]*{,/**},
  286. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /proc?*{,/**},
  287. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /s[^y]*{,/**},
  288. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /sy[^s]*{,/**},
  289. mount options=(ro,remount,bind,nosuid,noexec,strictatime) /sys?*{,/**},
  290.  
  291. # Allow bind-mounts of anything except /proc, /sys and /dev/.lxc
  292. mount options=(rw,bind) /[^spd]*{,/**},
  293. mount options=(rw,bind) /d[^e]*{,/**},
  294. mount options=(rw,bind) /de[^v]*{,/**},
  295. mount options=(rw,bind) /dev/.[^l]*{,/**},
  296. mount options=(rw,bind) /dev/.l[^x]*{,/**},
  297. mount options=(rw,bind) /dev/.lx[^c]*{,/**},
  298. mount options=(rw,bind) /dev/.lxc?*{,/**},
  299. mount options=(rw,bind) /dev/[^.]*{,/**},
  300. mount options=(rw,bind) /dev?*{,/**},
  301. mount options=(rw,bind) /p[^r]*{,/**},
  302. mount options=(rw,bind) /pr[^o]*{,/**},
  303. mount options=(rw,bind) /pro[^c]*{,/**},
  304. mount options=(rw,bind) /proc?*{,/**},
  305. mount options=(rw,bind) /s[^y]*{,/**},
  306. mount options=(rw,bind) /sy[^s]*{,/**},
  307. mount options=(rw,bind) /sys?*{,/**},
  308.  
  309. # Allow rbind-mounts of anything except /, /dev, /proc and /sys
  310. mount options=(rw,rbind) /[^spd]*{,/**},
  311. mount options=(rw,rbind) /d[^e]*{,/**},
  312. mount options=(rw,rbind) /de[^v]*{,/**},
  313. mount options=(rw,rbind) /dev?*{,/**},
  314. mount options=(rw,rbind) /p[^r]*{,/**},
  315. mount options=(rw,rbind) /pr[^o]*{,/**},
  316. mount options=(rw,rbind) /pro[^c]*{,/**},
  317. mount options=(rw,rbind) /proc?*{,/**},
  318. mount options=(rw,rbind) /s[^y]*{,/**},
  319. mount options=(rw,rbind) /sy[^s]*{,/**},
  320. mount options=(rw,rbind) /sys?*{,/**},
  321.  
  322. # Allow read-only bind-mounts of anything except /proc, /sys and /dev/.lxc
  323. mount options=(ro,remount,bind) /[^spd]*{,/**},
  324. mount options=(ro,remount,bind) /d[^e]*{,/**},
  325. mount options=(ro,remount,bind) /de[^v]*{,/**},
  326. mount options=(ro,remount,bind) /dev/.[^l]*{,/**},
  327. mount options=(ro,remount,bind) /dev/.l[^x]*{,/**},
  328. mount options=(ro,remount,bind) /dev/.lx[^c]*{,/**},
  329. mount options=(ro,remount,bind) /dev/.lxc?*{,/**},
  330. mount options=(ro,remount,bind) /dev/[^.]*{,/**},
  331. mount options=(ro,remount,bind) /dev?*{,/**},
  332. mount options=(ro,remount,bind) /p[^r]*{,/**},
  333. mount options=(ro,remount,bind) /pr[^o]*{,/**},
  334. mount options=(ro,remount,bind) /pro[^c]*{,/**},
  335. mount options=(ro,remount,bind) /proc?*{,/**},
  336. mount options=(ro,remount,bind) /s[^y]*{,/**},
  337. mount options=(ro,remount,bind) /sy[^s]*{,/**},
  338. mount options=(ro,remount,bind) /sys?*{,/**},
  339.  
  340. # Allow moving mounts except for /proc, /sys and /dev/.lxc
  341. mount options=(rw,move) /[^spd]*{,/**},
  342. mount options=(rw,move) /d[^e]*{,/**},
  343. mount options=(rw,move) /de[^v]*{,/**},
  344. mount options=(rw,move) /dev/.[^l]*{,/**},
  345. mount options=(rw,move) /dev/.l[^x]*{,/**},
  346. mount options=(rw,move) /dev/.lx[^c]*{,/**},
  347. mount options=(rw,move) /dev/.lxc?*{,/**},
  348. mount options=(rw,move) /dev/[^.]*{,/**},
  349. mount options=(rw,move) /dev?*{,/**},
  350. mount options=(rw,move) /p[^r]*{,/**},
  351. mount options=(rw,move) /pr[^o]*{,/**},
  352. mount options=(rw,move) /pro[^c]*{,/**},
  353. mount options=(rw,move) /proc?*{,/**},
  354. mount options=(rw,move) /s[^y]*{,/**},
  355. mount options=(rw,move) /sy[^s]*{,/**},
  356. mount options=(rw,move) /sys?*{,/**},
  357.  
  358. # Block dangerous paths under /proc/sys
  359. deny /proc/sys/[^kn]*{,/**} wklx,
  360. deny /proc/sys/k[^e]*{,/**} wklx,
  361. deny /proc/sys/ke[^r]*{,/**} wklx,
  362. deny /proc/sys/ker[^n]*{,/**} wklx,
  363. deny /proc/sys/kern[^e]*{,/**} wklx,
  364. deny /proc/sys/kerne[^l]*{,/**} wklx,
  365. deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
  366. deny /proc/sys/kernel/d[^o]*{,/**} wklx,
  367. deny /proc/sys/kernel/do[^m]*{,/**} wklx,
  368. deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
  369. deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
  370. deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
  371. deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
  372. deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
  373. deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
  374. deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
  375. deny /proc/sys/kernel/domainname?*{,/**} wklx,
  376. deny /proc/sys/kernel/h[^o]*{,/**} wklx,
  377. deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
  378. deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
  379. deny /proc/sys/kernel/host[^n]*{,/**} wklx,
  380. deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
  381. deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
  382. deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
  383. deny /proc/sys/kernel/hostname?*{,/**} wklx,
  384. deny /proc/sys/kernel/m[^s]*{,/**} wklx,
  385. deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
  386. deny /proc/sys/kernel/msg*/** wklx,
  387. deny /proc/sys/kernel/s[^he]*{,/**} wklx,
  388. deny /proc/sys/kernel/se[^m]*{,/**} wklx,
  389. deny /proc/sys/kernel/sem*/** wklx,
  390. deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
  391. deny /proc/sys/kernel/shm*/** wklx,
  392. deny /proc/sys/kernel?*{,/**} wklx,
  393. deny /proc/sys/n[^e]*{,/**} wklx,
  394. deny /proc/sys/ne[^t]*{,/**} wklx,
  395. deny /proc/sys/net?*{,/**} wklx,
  396.  
  397. # Block dangerous paths under /sys
  398. deny /sys/[^fdck]*{,/**} wklx,
  399. deny /sys/c[^l]*{,/**} wklx,
  400. deny /sys/cl[^a]*{,/**} wklx,
  401. deny /sys/cla[^s]*{,/**} wklx,
  402. deny /sys/clas[^s]*{,/**} wklx,
  403. deny /sys/class/[^n]*{,/**} wklx,
  404. deny /sys/class/n[^e]*{,/**} wklx,
  405. deny /sys/class/ne[^t]*{,/**} wklx,
  406. deny /sys/class/net?*{,/**} wklx,
  407. deny /sys/class?*{,/**} wklx,
  408. deny /sys/d[^e]*{,/**} wklx,
  409. deny /sys/de[^v]*{,/**} wklx,
  410. deny /sys/dev[^i]*{,/**} wklx,
  411. deny /sys/devi[^c]*{,/**} wklx,
  412. deny /sys/devic[^e]*{,/**} wklx,
  413. deny /sys/device[^s]*{,/**} wklx,
  414. deny /sys/devices/[^v]*{,/**} wklx,
  415. deny /sys/devices/v[^i]*{,/**} wklx,
  416. deny /sys/devices/vi[^r]*{,/**} wklx,
  417. deny /sys/devices/vir[^t]*{,/**} wklx,
  418. deny /sys/devices/virt[^u]*{,/**} wklx,
  419. deny /sys/devices/virtu[^a]*{,/**} wklx,
  420. deny /sys/devices/virtua[^l]*{,/**} wklx,
  421. deny /sys/devices/virtual/[^n]*{,/**} wklx,
  422. deny /sys/devices/virtual/n[^e]*{,/**} wklx,
  423. deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
  424. deny /sys/devices/virtual/net?*{,/**} wklx,
  425. deny /sys/devices/virtual?*{,/**} wklx,
  426. deny /sys/devices?*{,/**} wklx,
  427. deny /sys/f[^s]*{,/**} wklx,
  428. deny /sys/fs/[^c]*{,/**} wklx,
  429. deny /sys/fs/c[^g]*{,/**} wklx,
  430. deny /sys/fs/cg[^r]*{,/**} wklx,
  431. deny /sys/fs/cgr[^o]*{,/**} wklx,
  432. deny /sys/fs/cgro[^u]*{,/**} wklx,
  433. deny /sys/fs/cgrou[^p]*{,/**} wklx,
  434. deny /sys/fs/cgroup?*{,/**} wklx,
  435. deny /sys/fs?*{,/**} wklx,
  436.  
  437. ### Feature: unix
  438. # Allow receive via unix sockets from anywhere
  439. unix (receive),
  440.  
  441. # Allow all unix in the container
  442. unix peer=(label=@{profile_name}),
  443.  
  444. ### Feature: cgroup namespace
  445. mount fstype=cgroup -> /sys/fs/cgroup/**,
  446. mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  447.  
  448. ### Feature: apparmor stacking
  449. ### Configuration: apparmor profile loading (in namespace)
  450. deny /sys/k[^e]*{,/**} wklx,
  451. deny /sys/ke[^r]*{,/**} wklx,
  452. deny /sys/ker[^n]*{,/**} wklx,
  453. deny /sys/kern[^e]*{,/**} wklx,
  454. deny /sys/kerne[^l]*{,/**} wklx,
  455. deny /sys/kernel/[^s]*{,/**} wklx,
  456. deny /sys/kernel/s[^e]*{,/**} wklx,
  457. deny /sys/kernel/se[^c]*{,/**} wklx,
  458. deny /sys/kernel/sec[^u]*{,/**} wklx,
  459. deny /sys/kernel/secu[^r]*{,/**} wklx,
  460. deny /sys/kernel/secur[^i]*{,/**} wklx,
  461. deny /sys/kernel/securi[^t]*{,/**} wklx,
  462. deny /sys/kernel/securit[^y]*{,/**} wklx,
  463. deny /sys/kernel/security/[^a]*{,/**} wklx,
  464. deny /sys/kernel/security/a[^p]*{,/**} wklx,
  465. deny /sys/kernel/security/ap[^p]*{,/**} wklx,
  466. deny /sys/kernel/security/app[^a]*{,/**} wklx,
  467. deny /sys/kernel/security/appa[^r]*{,/**} wklx,
  468. deny /sys/kernel/security/appar[^m]*{,/**} wklx,
  469. deny /sys/kernel/security/apparm[^o]*{,/**} wklx,
  470. deny /sys/kernel/security/apparmo[^r]*{,/**} wklx,
  471. deny /sys/kernel/security/apparmor?*{,/**} wklx,
  472. deny /sys/kernel/security?*{,/**} wklx,
  473. deny /sys/kernel?*{,/**} wklx,
  474. change_profile -> ":lxd-hlos-arch_<var-lib-lxd>:*",
  475. change_profile -> ":lxd-hlos-arch_<var-lib-lxd>://*",
  476.  
  477. ### Configuration: unprivileged containers
  478. pivot_root,
  479.  
  480. # Allow modifying mount propagation
  481. mount options=(rw,slave) -> **,
  482. mount options=(rw,rslave) -> **,
  483. mount options=(rw,shared) -> **,
  484. mount options=(rw,rshared) -> **,
  485. mount options=(rw,private) -> **,
  486. mount options=(rw,rprivate) -> **,
  487. mount options=(rw,unbindable) -> **,
  488. mount options=(rw,runbindable) -> **,
  489.  
  490. # Allow all bind-mounts
  491. mount options=(rw,bind) / -> /**,
  492. mount options=(rw,bind) /** -> /**,
  493. mount options=(rw,rbind) / -> /**,
  494. mount options=(rw,rbind) /** -> /**,
  495.  
  496. # Allow common combinations of bind/remount
  497. # NOTE: AppArmor bug effectively turns those into wildcards mount allow
  498. mount options=(ro,remount,bind),
  499. mount options=(ro,remount,bind,nodev),
  500. mount options=(ro,remount,bind,nodev,nosuid),
  501. mount options=(ro,remount,bind,noexec),
  502. mount options=(ro,remount,bind,noexec,nodev),
  503. mount options=(ro,remount,bind,nosuid),
  504. mount options=(ro,remount,bind,nosuid,nodev),
  505. mount options=(ro,remount,bind,nosuid,noexec),
  506. mount options=(ro,remount,bind,nosuid,noexec,nodev),
  507. mount options=(ro,remount,bind,nosuid,noexec,strictatime),
  508.  
  509. # Allow remounting things read-only
  510. mount options=(ro,remount) /,
  511. mount options=(ro,remount) /**,
  512. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!