mtask · August 29, 2023 19:46
diff --git a/docker-nginx b/docker-nginx
 #include <tunables/global>


 profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

  network inet tcp,
  network inet udp,
  network inet icmp,

  deny network raw,

  deny network packet,

  file,
  umount,
  
  # docker exec /bin/bash still works for some magical reason
  deny /{usr/,}bin/{da,ba,rba,}sh mrwklx,

  deny /{usr/,}bin/** wl,
  deny /boot/** wl,
  deny /dev/** wl,
  deny /etc/** wl,
  deny /home/** wl,
  deny /lib/** wl,
  deny /lib64/** wl,
  deny /media/** wl,
  deny /mnt/** wl,
  deny /opt/** wl,
  deny /proc/** wl,
  deny /root/** wl,
  deny /sbin/** wl,
  deny /srv/** wl,
  deny /tmp/** wl,
  deny /sys/** wl,
  deny /usr/** wl,

  audit /** w,

  /var/run/nginx.pid w,

  /usr/sbin/nginx ix,


  capability chown,
  capability dac_override,
  capability setuid,
  capability setgid,
  capability net_bind_service,

  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
  # deny write to files not in /proc/<number>/** or /proc/sys/**
  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/kcore rwklx,

  deny mount,

  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/** rwklx,
  deny /sys/kernel/security/** rwklx,
 }
	#include <tunables/global>


	profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
	#include <abstractions/base>

	network inet tcp,
	network inet udp,
	network inet icmp,

	deny network raw,

	deny network packet,

	file,
	umount,

	# docker exec /bin/bash still works for some magical reason
	deny /{usr/,}bin/{da,ba,rba,}sh mrwklx,

	deny /{usr/,}bin/** wl,
	deny /boot/** wl,
	deny /dev/** wl,
	deny /etc/** wl,
	deny /home/** wl,
	deny /lib/** wl,
	deny /lib64/** wl,
	deny /media/** wl,
	deny /mnt/** wl,
	deny /opt/** wl,
	deny /proc/** wl,
	deny /root/** wl,
	deny /sbin/** wl,
	deny /srv/** wl,
	deny /tmp/** wl,
	deny /sys/** wl,
	deny /usr/** wl,

	audit /** w,

	/var/run/nginx.pid w,

	/usr/sbin/nginx ix,


	capability chown,
	capability dac_override,
	capability setuid,
	capability setgid,
	capability net_bind_service,

	deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
	# deny write to files not in /proc/<number>/ or /proc/sys/
	deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]}/* w,
	deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
	deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]*} w, # deny everything except shm in /proc/sys/kernel/
	deny @{PROC}/sysrq-trigger rwklx,
	deny @{PROC}/mem rwklx,
	deny @{PROC}/kmem rwklx,
	deny @{PROC}/kcore rwklx,

	deny mount,

	deny /sys/[^f]/* wklx,
	deny /sys/f[^s]/* wklx,
	deny /sys/fs/[^c]/* wklx,
	deny /sys/fs/c[^g]/* wklx,
	deny /sys/fs/cg[^r]/* wklx,
	deny /sys/firmware/** rwklx,
	deny /sys/kernel/security/** rwklx,
	}