From d9c188ee2a5e1a8c550fc519380f0c9f86529544 Mon Sep 17 00:00:00 2001 From: Lucas Briese Date: Fri, 29 Jan 2021 14:33:22 +0100 Subject: [PATCH] updated debian / lgsm --- apparmor/JusitoGmod | 69 ----------------------------- apparmor/generateAppArmorProfile.sh | 12 ----- lgsm/Dockerfile | 2 +- 3 files changed, 1 insertion(+), 82 deletions(-) delete mode 100644 apparmor/JusitoGmod delete mode 100644 apparmor/generateAppArmorProfile.sh diff --git a/apparmor/JusitoGmod b/apparmor/JusitoGmod deleted file mode 100644 index a6335b1..0000000 --- a/apparmor/JusitoGmod +++ /dev/null @@ -1,69 +0,0 @@ -// +build linux - -package apparmor // import "github.com/docker/docker/profiles/apparmor" - -// baseTemplate defines the default apparmor profile for containers. -const baseTemplate = ` -{{range $value := .Imports}} -{{$value}} -{{end}} - -profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { -{{range $value := .InnerImports}} - {{$value}} -{{end}} - - network, - capability, - file, - umount, -{{if ge .Version 208096}} -{{/* Allow 'docker kill' to actually send signals to container processes. */}} - signal (receive) peer={{.DaemonProfile}}, -{{/* Allow container processes to send signals amongst themselves. */}} - signal (send,receive) peer={{.Name}}, -{{end}} - - deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) - # deny write to files not in /proc//** or /proc/sys/** - deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, - deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) - deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/kcore rwklx, - - deny mount, - - deny /sys/[^f]*/** wklx, - deny /sys/f[^s]*/** wklx, - deny /sys/fs/[^c]*/** wklx, - deny /sys/fs/c[^g]*/** wklx, - deny /sys/fs/cg[^r]*/** wklx, - deny /sys/firmware/** rwklx, - deny /sys/kernel/security/** rwklx, - - deny /bin/*/** w, - deny /boot/*/** w, - deny /dev/*/** w, - deny /etc/*/** w, - deny /home/* w, - deny /lib/*/** w, - deny /lib64/*/** w, - deny /media/*/** w, - deny /mnt/*/** w, - deny /opt/*/** w, - deny /proc/*/** w, - deny /root/*/** w, - deny /run/*/** w, - deny /sbin/*/** w, - deny /srv/*/** w, - deny /sys/*/** w, - deny /tmp/*/** w, - deny /usr/*/** w, - deny /var/*/** w, - -{{if ge .Version 208095}} - # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container - ptrace (trace,read,tracedby,readby) peer={{.Name}}, -{{end}} -} \ No newline at end of file diff --git a/apparmor/generateAppArmorProfile.sh b/apparmor/generateAppArmorProfile.sh deleted file mode 100644 index 822b801..0000000 --- a/apparmor/generateAppArmorProfile.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -if [ "${DEBUGGING}" = "true" ]; then - set -o xtrace -fi - -set -o errexit -set -o pipefail -set -o nounset - -wget -qO "apparmor.profile" 'https://raw.githubusercontent.com/moby/moby/master/profiles/apparmor/template.go' - diff --git a/lgsm/Dockerfile b/lgsm/Dockerfile index 9b687b5..cd17247 100644 --- a/lgsm/Dockerfile +++ b/lgsm/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:stretch-slim +FROM debian:buster-slim # Const \\ Overwrite Env \\ Configs possible \\ Configs needed # C.UTF-8 -> en_US.UTF-8