#include <tunables/global>

profile /usr/bin/docker flags=(attach_disconnected, chroot_relative) {
  # Daemon requirements
  signal,
  ipc rw,
  network,
  capability,

  mount -> /var/lib/docker/**,
  mount -> /,
  mount -> /proc/**,
  mount -> /sys/**,
  umount,
  pivot_root,
  /var/lib/docker/* rw,
  /var/run/docker.sock rw,
  /sbin/apparmor_parser rix,
  /sbin/xtables-multi rix,
  /sbin/iptables rix,
  /sbin/modprobe rix,
  /usr/bin/docker rix,
  /sbin/auplink rix,
  /usr/bin/xz rix,

  # Client requirements...
  /var/run/docker.sock rw,
  /proc/sys/net/core/somaxconn r,
  /proc/sys/kernel/cap_last_cap r,
  /run/docker.sock rw,

  # For accessing build contexts, local cp, etc.
  owner /** rw,

  # Transitions
  change_profile -> docker-default,

  profile /sbin/iptables {
   capability net_admin,
  }
  profile /sbin/auplink {
   capability net_admin,
   capability net_raw,
  }
  profile /sbin/modprobe {
   capability sys_module,
   /lib/modules/*/** r,
  }
}

profile docker-default flags=(attach_disconnected,mediate_deleted,namespace_relative, audit) {
  #include <abstractions/base>

  network,
  file,

  allow capability net_raw,
  allow capability net_bind_service,
  allow capability audit_write,
  allow capability dac_override,
  allow capability setfcap,
  allow capability setpcap,
  allow capability setgid,
  allow capability setuid,
  allow capability mknod,
  allow capability fowner,
  allow capability fsetid,
  allow capability kill,
  allow capability sys_chroot,

  allow /var/lib/docker/** rw,

  allow @{PROC}/[0-9]*/** rwkl,
  allow @{PROC}/uptime rwkl,
  allow @{PROC}/cpuinfo rwkl,

  deny mount,

  deny @{PROC}/** wklx,
  deny @{PROC}/attr/** wklx,
  deny @{PROC}/fs/** wklx,
  deny @{PROC}/timer_stats rwklx,
  deny @{PROC}/latency_stats rwklx,
  deny @{PROC}/[0-9]*/attr/** wklx,
  deny @{PROC}/sys/fs/** wklx,
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/kcore rwklx,
  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
  deny @{PROC}/sys/kernel/*/** wklx,

  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,
}