OXIESEC PANEL
- Current Dir:
/
/
snap
/
core
/
17210
/
usr
/
share
/
apparmor
/
easyprof
/
policygroups
/
ubuntu-core
/
16.04
Server IP: 139.59.38.164
Upload:
Create Dir:
Name
Size
Modified
Perms
📁
..
-
10/02/2024 07:50:38 PM
rwxr-xr-x
📄
container-management
2.17 KB
12/16/2015 10:40:55 PM
rw-r--r--
📄
desktop
380 bytes
01/11/2016 07:58:56 PM
rw-r--r--
📄
display-server
1.65 KB
01/19/2016 06:25:11 PM
rw-r--r--
📄
firewall-management
1.7 KB
11/14/2015 11:48:00 PM
rw-r--r--
📄
locale-management
188 bytes
12/16/2015 09:47:27 PM
rw-r--r--
📄
mir-client
1.39 KB
01/19/2016 07:31:36 PM
rw-r--r--
📄
network-admin
2.26 KB
10/05/2015 02:03:36 PM
rw-r--r--
📄
network-client
172 bytes
12/16/2015 08:54:27 PM
rw-r--r--
📄
network-firewall
1.7 KB
11/14/2015 11:48:00 PM
rw-r--r--
📄
network-listener
1.4 KB
01/14/2016 11:24:32 PM
rw-r--r--
📄
network-management
2.26 KB
10/05/2015 02:03:36 PM
rw-r--r--
📄
network-monitor
1.59 KB
12/15/2015 01:50:15 PM
rw-r--r--
📄
network-service
1.4 KB
01/14/2016 11:24:32 PM
rw-r--r--
📄
network-status
1.59 KB
12/15/2015 01:50:15 PM
rw-r--r--
📄
physical-memory-access
111 bytes
12/15/2015 02:00:23 PM
rw-r--r--
📄
read-system-logs
227 bytes
12/16/2015 10:01:29 PM
rw-r--r--
📄
snap-management
84 bytes
12/15/2015 01:52:34 PM
rw-r--r--
📄
snapd
84 bytes
12/15/2015 01:52:34 PM
rw-r--r--
📄
system-monitor
745 bytes
01/15/2016 02:41:32 PM
rw-r--r--
📄
timeserver-management
251 bytes
12/16/2015 09:22:54 PM
rw-r--r--
📄
timezone-management
188 bytes
12/16/2015 09:42:49 PM
rw-r--r--
📄
unix-listener
80 bytes
12/16/2015 08:54:57 PM
rw-r--r--
📄
update-schedule-management
100 bytes
12/16/2015 10:02:37 PM
rw-r--r--
Editing: container-management
Close
# Description: Can manage containers. This is restricted because it gives wide # access to the system, which is needed for software managing containers. It is # understood that the confinement provided here is only advisory. # Usage: reserved # Allow our pid file and socket /run/@{APP_PKGNAME}/ rw, /run/@{APP_PKGNAME}/** mrwklix, /run/@{APP_PKGNAME}.pid rw, /run/@{APP_PKGNAME}.sock rw, # Wide read access to /proc, but somewhat limited writes for now @{PROC}/ r, @{PROC}/** r, @{PROC}/[0-9]*/attr/exec w, @{PROC}/sys/net/** w, @{PROC}/[0-9]*/cmdline r, # Wide read access to /sys /sys/** r, # Limit cgroup writes a bit /sys/fs/cgroup/*/docker/ rw, /sys/fs/cgroup/*/docker/** rw, /sys/fs/cgroup/*/system.slice/ rw, /sys/fs/cgroup/*/system.slice/** rw, # We can trace ourselves ptrace (trace) peer=@{profile_name}, # Docker needs a lot of caps, but limits them in the app container capability, # Allow talking to systemd #include <abstractions/dbus-strict> dbus (send) bus=system peer=(name=org.freedesktop.systemd*,label=unconfined), # Allow receiving from unconfined dbus (receive) bus=system peer=(label=unconfined), # Docker does all kinds of mounts all over the filesystem /dev/mapper/control rw, /dev/mapper/docker* rw, /dev/loop* r, /dev/loop[0-9]* w, mount, umount, pivot_root, /.pivot_root*/ rw, # for console access /dev/ptmx rw, # For loading the docker-default policy. We might be able to get rid of this # if we load docker-default ourselves and make docker not do it. /sbin/apparmor_parser ixr, /etc/apparmor*/** r, /var/lib/apparmor/profiles/docker rw, /etc/apparmor.d/cache/docker* w, /etc/apparmor.d/cache/.features w, /sys/kernel/security/apparmor/** rw, # We'll want to adjust this to support --security-opts... change_profile -> docker-default, signal (send) peer=docker-default, ptrace (read, trace) peer=docker-default, # This is exceedingly unfortunate but needed since privileged containers run # unconfined. #signal (send) peer=unconfined, #ptrace (read, trace) peer=unconfined, / r, /dev/ r, /dev/**/ r, /proc r, /dev/dm-* rw, /dev/shm/aufs.xino rw, @{PROC}/fs/aufs/plink_maint rw, /bin/chown ixr, capability sys_resource, /sbin/killall5 ixr, /sbin/dmsetup ixr,