F30 · September 11, 2025 13:01
diff --git a/apparmor-profile.txt b/apparmor-profile.txt
 #include <tunables/global>

 # Put in "/etc/apparmor.d" and load with:
 # apparmor_parser -r -W /etc/apparmor.d/docker-gitlab

 profile docker-gitlab flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

  network,
  capability,
  file,
  umount,
  # Host (privileged) processes may send signals to container processes.
  signal (receive) peer=unconfined,
  # runc may send signals to container processes (for "docker stop").
  signal (receive) peer=runc,
  # crun may send signals to container processes (for "docker stop" when used with crun OCI runtime).
  signal (receive) peer=crun,
  # dockerd may send signals to container processes (for "docker kill").
  signal (receive) peer=unconfined,
  # Container processes may send signals amongst themselves.
  signal (send,receive) peer=docker-default,

  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
  # deny write to files not in /proc/<number>/** or /proc/sys/**
  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9/]*}/** w,
  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/kcore rwklx,

  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/** rwklx,
  deny /sys/devices/virtual/powercap/** rwklx,
  deny /sys/kernel/security/** rwklx,

  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
  ptrace (trace,read,tracedby,readby) peer=docker-default,
  ptrace (trace,read,tracedby,readby) peer=docker-gitlab,

  mount fstype="overlay" -> /home/user/.local/share/buildkit/**,
  mount /home/user/.local/share/buildkit/runc-overlayfs/snapshots/** -> /run/user/*/containerd-mount**,
  mount -> /var/lib/containers/storage/overlay**,
  mount -> /var/tmp/buildah**,
  mount options in (rprivate,rslave,rw) -> /,
  mount options=(bind,remount,ro),

  pivot_root /var/lib/containers/storage/overlay**,
  pivot_root /var/tmp/buildah**,

  # See https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
  userns,
 }
	#include <tunables/global>

	# Put in "/etc/apparmor.d" and load with:
	# apparmor_parser -r -W /etc/apparmor.d/docker-gitlab

	profile docker-gitlab flags=(attach_disconnected,mediate_deleted) {
	#include <abstractions/base>

	network,
	capability,
	file,
	umount,
	# Host (privileged) processes may send signals to container processes.
	signal (receive) peer=unconfined,
	# runc may send signals to container processes (for "docker stop").
	signal (receive) peer=runc,
	# crun may send signals to container processes (for "docker stop" when used with crun OCI runtime).
	signal (receive) peer=crun,
	# dockerd may send signals to container processes (for "docker kill").
	signal (receive) peer=unconfined,
	# Container processes may send signals amongst themselves.
	signal (send,receive) peer=docker-default,

	deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
	# deny write to files not in /proc/<number>/ or /proc/sys/
	deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9/]}/* w,
	deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
	deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]*} w, # deny everything except shm in /proc/sys/kernel/
	deny @{PROC}/sysrq-trigger rwklx,
	deny @{PROC}/kcore rwklx,

	deny /sys/[^f]/* wklx,
	deny /sys/f[^s]/* wklx,
	deny /sys/fs/[^c]/* wklx,
	deny /sys/fs/c[^g]/* wklx,
	deny /sys/fs/cg[^r]/* wklx,
	deny /sys/firmware/** rwklx,
	deny /sys/devices/virtual/powercap/** rwklx,
	deny /sys/kernel/security/** rwklx,

	# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
	ptrace (trace,read,tracedby,readby) peer=docker-default,
	ptrace (trace,read,tracedby,readby) peer=docker-gitlab,

	mount fstype="overlay" -> /home/user/.local/share/buildkit/**,
	mount /home/user/.local/share/buildkit/runc-overlayfs/snapshots/** -> /run/user//containerd-mount*,
	mount -> /var/lib/containers/storage/overlay**,
	mount -> /var/tmp/buildah**,
	mount options in (rprivate,rslave,rw) -> /,
	mount options=(bind,remount,ro),

	pivot_root /var/lib/containers/storage/overlay**,
	pivot_root /var/tmp/buildah**,

	# See https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
	userns,
	}
No results found