felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): use the new hex variable.

Browse source
This commit is contained in:
Alexandre Pujol 2022-09-03 14:43:34 +01:00
parent 5d0c521e44
commit 3b56d3ff0f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
70 changed files with 142 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/virt/containerd
View file

@ -31,12 +31,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
network inet6 stream,
network netlink raw,
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
mount -> /tmp/ctd-volume[0-9]*/,
mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
umount /tmp/ctd-volume[0-9]*/,
umount @{run}/netns/cni-@{uuid},

14
apparmor.d/groups/virt/containerd-shim-runc-v2
View file

@ -22,8 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
ptrace (read) peer=containerd,
ptrace (read) peer=unconfined,
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
@{exec_path} mrix,
@ -34,12 +34,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
/tmp/pty[0-9]*/pty.sock rw,
@{run}/containerd/{,containerd.sock.ttrpc} rw,
@{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
@{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw,
@{run}/containerd/s/{,[0-9a-f]*} rw,
@{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/[0-9]*/@{hex}-{stdin,stdout,stderr} rw,
@{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/@{hex}/{,*} rw,
@{run}/containerd/s/{,@{hex}} rw,
@{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
@{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw,
@{run}/docker/containerd/@{hex}/@{hex}-{stdin,stdout,stderr} rw,
@{run}/docker/containerd/@{hex}/init-{stdin,stdout,stderr} rw,
@{run}/docker/containerd/daemon/io.containerd.*/{,**} rw,
@{run}/secrets/kubernetes.io/serviceaccount/*/token w,

4
apparmor.d/groups/virt/k3s
View file

@ -61,7 +61,7 @@ profile k3s @{exec_path} {
/{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
@{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
/var/lib/rancher/k3s/data/@{hex}/bin/* rix,
@{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
/usr/share/mime/globs2 r,
@ -145,7 +145,7 @@ profile k3s @{exec_path} {
@{sys}/devices/virtual/block/*/** r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
@{sys}/devices/virtual/net/cali@{hex}/{address,mtu,speed} r,
@{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
@{sys}/fs/cgroup/{,*,*/} r,