blob: b5b82e52bedea2790d0abc88278b78963f4633c4 [file] [log] [blame]
Jessica Frazelleee8a52b2015-10-08 21:34:11 -07001# name of the profile, we will auto prefix with `docker-`
Michael Contentoa94727c2016-10-19 23:11:05 +02002# so the final profile name will be `docker-nginx-sample`
Thomas Sjögren40496932015-11-25 20:51:29 +01003Name = "nginx-sample"
Jessica Frazelleee8a52b2015-10-08 21:34:11 -07004
Jessica Frazellea989d862015-10-14 11:51:02 -07005[Filesystem]
Jessica Frazelleee8a52b2015-10-08 21:34:11 -07006# read only paths for the container
7ReadOnlyPaths = [
8 "/bin/**",
Jessica Frazelleee8a52b2015-10-08 21:34:11 -07009 "/boot/**",
10 "/dev/**",
11 "/etc/**",
12 "/home/**",
13 "/lib/**",
14 "/lib64/**",
15 "/media/**",
16 "/mnt/**",
17 "/opt/**",
18 "/proc/**",
19 "/root/**",
20 "/sbin/**",
21 "/srv/**",
22 "/tmp/**",
23 "/sys/**",
24 "/usr/**",
25]
26
27# paths where you want to log on write
28LogOnWritePaths = [
29 "/**"
30]
31
32# paths where you can write
33WritablePaths = [
34 "/var/run/nginx.pid"
35]
36
Jessica Frazellea989d862015-10-14 11:51:02 -070037# allowed executable files for the container
38AllowExec = [
Jessica Frazelleee8a52b2015-10-08 21:34:11 -070039 "/usr/sbin/nginx"
40]
Jessica Frazellea989d862015-10-14 11:51:02 -070041
42# denied executable files
43DenyExec = [
Jessica Frazelleee8a52b2015-10-08 21:34:11 -070044 "/bin/dash",
45 "/bin/sh",
46 "/usr/bin/top"
47]
48
Thomas Sjögrenafdea122015-11-24 16:25:09 +010049# allowed capabilities
50[Capabilities]
51Allow = [
52 "chown",
53 "dac_override",
54 "setuid",
55 "setgid",
56 "net_bind_service"
57]
58
Jessica Frazelleee8a52b2015-10-08 21:34:11 -070059[Network]
60# if you don't need to ping in a container, you can probably
61# set Raw to false and deny network raw
62Raw = false
63Packet = false
Thomas Sjögren0ceb7252015-11-26 01:01:02 +010064Protocols = [
65 "tcp",
66 "udp",
67 "icmp"
68]