include # Docker overlay @{docker_root}=/docker/ /var/lib/docker/ @{fs_root}=/ @{docker_root}/overlay2/*/diff/ @{do_etc}=@{fs_root}/etc/ @{do_opt}=@{fs_root}/opt/ @{do_run}=@{fs_root}/{run,var/run}/ @{do_usr}=@{fs_root}/usr/ @{do_var}=@{fs_root}/var/ # Nginx data dirs @{nginx_data}=@{do_usr}/lib/nginx/ @{do_usr}/share/nginx/ @{do_var}/lib/nginx/ profile loki flags=(attach_disconnected,mediate_deleted) { include include # Send signals to child services signal (send) peer=@{profile_name}//*, # Network access network tcp, network udp, # Capabilities to run service as non-root capability kill, capability dac_override, capability chown, capability fowner, capability fsetid, capability setuid, capability setgid, # S6-Overlay /init rix, /bin/** rix, /usr/bin/** rix, @{do_etc}/s6*/** r, @{do_etc}/fix-attrs.d/{,**} r, @{do_etc}/cont-{init,finish}.d/{,**} rwix, @{do_etc}/services.d/{,**} rwix, @{do_run}/{s6,s6-rc*,service}/** rix, /command/** rix, /package/** rix, @{do_run}/{,**} rwk, /dev/tty rw, @{do_usr}/lib/locale/{,**} r, @{do_etc}/ssl/openssl.cnf r, @{do_etc}/ssl1.1/openssl.cnf r, @{do_etc}/{group,hosts,passwd,resolv.conf} r, /dev/null k, # Needed for v2, not v3 @{do_etc}/s6/** rix, # Bashio /usr/lib/bashio/** ix, /tmp/** rw, # Options.json & addon data /data r, /data/** rw, # Needed for setup @{do_etc}/{loki,nginx}/{,**} rw, @{nginx_data}/{,**} rw, @{do_var}/log/nginx/{,**} rw, /{share,ssl}/{,**} r, # Programs /usr/bin/loki cx -> loki, /usr/sbin/nginx Cx -> nginx, profile loki flags=(attach_disconnected,mediate_deleted) { include # Receive signals from s6 signal (receive) peer=*_loki, # Network access network tcp, network udp, network netlink raw, network unix dgram, # Addon data /data/** r, /data/loki/** rwk, # Config @{do_etc}/loki/* r, /share/** r, # Runtime usage owner /tmp/** rwk, /usr/bin/loki rm, @{do_etc}/hosts r, @{do_etc}/{nsswitch,resolv}.conf r, @{PROC}/sys/net/core/somaxconn r, @{PROC}/@{pid}/cpuset r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, } profile nginx flags=(attach_disconnected,mediate_deleted) { include # Receive signals from s6 signal (receive) peer=*_loki, # Network access network tcp, # Capabilities to lower privileges capability dac_override, capability mknod, capability setuid, capability setgid, # Allow parent to ptrace ptrace (read) peer=*_loki, # Config files @{do_etc}/nginx/** r, /ssl/** r, # Service data @{do_var}/lib/nginx/tmp/** rw, @{do_var}/log/nginx/* w, @{nginx_data}/** r, # Runtime usage @{do_run}/nginx.pid rw, @{PROC}/1/fd/1 w, /usr/sbin/nginx rm, @{do_etc}/{group,passwd} r, @{do_etc}/ssl/openssl.cnf r, @{do_etc}/ssl1.1/openssl.cnf r, } }