felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): continue replacing [0-9]* by @{int}.

Browse source
This commit is contained in:
Alexandre Pujol 2024-02-26 21:10:53 +00:00
parent 99e4c4622d
commit 00051bd2f0
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
100 changed files with 222 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/virt/cni-calico
View file

@ -31,7 +31,7 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
/var/lib/calico/{,**} r,
/var/log/calico/cni/ r,
/var/log/calico/cni/cni.log rw,
/var/log/calico/cni/cni-@{date}T@{time}.[0-9]*.log rw,
/var/log/calico/cni/cni-@{date}T@{time}.@{int}.log rw,
/usr/share/mime/globs2 r,

20
apparmor.d/groups/virt/containerd
View file

@ -32,13 +32,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
network netlink raw,
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
mount -> /tmp/ctd-volume[0-9]*/,
mount -> /var/lib/containerd/tmpmounts/containerd-mount@{int}/,
mount -> /tmp/ctd-volume@{int}/,
mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
umount /tmp/ctd-volume[0-9]*/,
umount /var/lib/containerd/tmpmounts/containerd-mount@{int}/,
umount /tmp/ctd-volume@{int}/,
umount @{run}/netns/cni-@{uuid},
signal (receive) set=term peer={dockerd,k3s},
@ -72,7 +72,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
/var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
/var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
/var/lib/containerd/{,**} rwk,
/var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l,
/var/lib/containerd/tmpmounts/containerd-mount@{int}/** l,
/var/lib/docker/containerd/{,**} rwk,
/var/lib/kubelet/seccomp/{,**} r,
/var/lib/security-profiles-operator/{,**} r,
@ -86,10 +86,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
@{run}/netns/cni-@{uuid} rw,
@{run}/systemd/notify w,
owner /var/tmp/** rwkl,
/tmp/cri-containerd.apparmor.d@{int} rwl,
/tmp/ctd-volume@{int}/{,**} rw,
owner /tmp/** rwkl,
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
/tmp/ctd-volume[0-9]*/{,**} rw,
owner /var/tmp/** rwkl,
@{sys}/fs/cgroup/kubepods/** r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@ -97,11 +97,11 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/task/@{tid}/ns/net rw,
@{PROC}/sys/net/core/somaxconn r,
owner @{PROC}/@{pids}/attr/current r,
owner @{PROC}/@{pids}/cgroup r,
owner @{PROC}/@{pids}/uid_map r,
owner @{PROC}/@{pids}/mountinfo r,
@{PROC}/sys/net/core/somaxconn r,
owner @{PROC}/@{pids}/uid_map r,
/dev/bsg/ r,
/dev/bus/ r,

6
apparmor.d/groups/virt/containerd-shim-runc-v2
View file

@ -32,9 +32,9 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
@{bin}/runc rPUx,
/tmp/runc-process[0-9]* rw,
/tmp/pty[0-9]*/ rw,
/tmp/pty[0-9]*/pty.sock rw,
/tmp/runc-process@{int} rw,
/tmp/pty@{int}/ rw,
/tmp/pty@{int}/pty.sock rw,
@{run}/containerd/{,containerd.sock.ttrpc} rw,
@{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/@{int}/@{hex}-{stdin,stdout,stderr} rw,

14
apparmor.d/groups/virt/dockerd
View file

@ -34,16 +34,16 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
mount /var/lib/docker/overlay2/**/,
mount options=(rw, bind) -> /run/docker/netns/*,
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
mount options=(rw, rprivate) -> /.pivot_root@{int}/,
mount options=(rw, rslave) -> /,
umount /.pivot_root[0-9]*/,
umount /.pivot_root@{int}/,
umount /run/docker/netns/*,
umount /var/lib/docker/overlay*/**/,
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
ptrace (read) peer=docker-*,
ptrace (read) peer=unconfined,
@ -70,7 +70,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
owner @{lib}/docker/overlay2/*/work/{,**} rw,
owner /var/lib/docker/{,**} rwk,
owner /var/lib/docker/tmp/qemu-check[0-9]*/check rix,
owner /var/lib/docker/tmp/qemu-check@{int}/check rix,
@{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/cpuset.cpus.effective r,
@ -88,7 +88,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
@{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw,
@{PROC}/sys/net/ipv{4,6}/conf/docker[0-9]*/accept_ra rw,
@{PROC}/sys/net/ipv{4,6}/conf/docker@{int}/accept_ra rw,
@{PROC}/sys/net/ipv{4,6}/ip_forward rw,
@{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
owner @{PROC}/@{pids}/attr/current r,

2
apparmor.d/groups/virt/k3s
View file

@ -160,7 +160,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-[0-9]*.scope/{,**/} r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r,
@{sys}/kernel/mm/hugepages/ r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

2
apparmor.d/groups/virt/libvirtd
View file

@ -154,7 +154,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{run}/libvirt/ rw,
@{run}/libvirt/** rwk,
@{run}/libvirtd.pid wk,
@{run}/lock/LCK.._pts_[0-9]* rw,
@{run}/lock/LCK.._pts_@{int} rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/notify w,
@{run}/utmp rk,

2
apparmor.d/groups/virt/virtiofsd
View file

@ -46,7 +46,7 @@ profile virtiofsd @{exec_path} {
@{exec_path} mr,
/ r,
/var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw,
/var/lib/libvirt/qemu/*/fs@{int}-fs.sock rw,
@{user_publicshare_dirs}/{,**} r,
@{user_vm_dirs}/{,**} r,

2
apparmor.d/groups/virt/virtnodedevd
View file

@ -61,7 +61,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c21:@{int} r, # Generic SCSI access
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
@{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers