AppArmor profile tweaks

aws · Dec 11, 2023 · e5fd83a · e5fd83a
1 parent 1a433bc
commit e5fd83a
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/ecs-init/apparmor/apparmor.go b/ecs-init/apparmor/apparmor.go
@@ -22,6 +22,8 @@ profile ecs-agent-default flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
   network,
+  # deny raw socket creation to prevent exploits that perform network attacks (arp, ip spoofing, etc.)
+  deny network socket,
   capability,
   file,
   umount,
@@ -31,7 +33,7 @@ profile ecs-agent-default flags=(attach_disconnected,mediate_deleted) {
   signal (send,receive) peer=ecs-agent-default,
 
   # ECS agent requires DBUS send
-  dbus (send) bus=system,
+  dbus (send,receive) bus=system,
 
   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
   # deny write to files not in /proc/<number>/** or /proc/sys/**