diff --git a/README.md b/README.md index 1b082b24f..97c37edbe 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it * An `apparmor` based linux distribution. * Base profiles and abstractions shipped with AppArmor are supposed to be installed. +* Go +* rsync **Archlinux** @@ -65,6 +67,8 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ Build using standard Debian package build tools: ```sh +sudo apt install debhelper ubuntu-dev-tools config-package-dev golang-go apparmor-profiles rsync + dpkg-buildpackage -b -d --no-sign sudo dpkg -i ../apparmor.d_*_all.deb ``` diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 97bae8b72..5e8549ab9 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -9,8 +9,10 @@ /dev/ r, # Regular disk/partition devices + /dev/block/ r, /dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]*[0-9]* rk, + /dev/disk/*/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, @@ -35,11 +37,14 @@ # LUKS/LVM (device-mapper) devices /dev/dm-[0-9]* rk, + /dev/mapper/* r, @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, # ZFS devices /dev/zd[0-9]* rk, + /dev/zvol/ r, + /dev/zvol/*/ r, @{sys}/devices/virtual/block/zd[0-9]*/ r, @{sys}/devices/virtual/block/zd[0-9]*/** r, diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico new file mode 100644 index 000000000..ad021b216 --- /dev/null +++ b/apparmor.d/groups/virt/calico @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /opt/cni/bin/calico +profile calico @{exec_path} { + include + + network inet, + network inet6, + + @{exec_path} mr, + @{exec_path}-ipam rix, + + /etc/cni/net.d/{,**} r, + + /var/lib/calico/{,**} r, + /var/log/calico/cni/ r, + /var/log/calico/cni/cni.log rw, + + @{run}/calico/ipam.lock rwk, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth new file mode 100644 index 000000000..c477581d1 --- /dev/null +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /opt/cni/bin/bandwidth +profile bandwidth @{exec_path} { + include + + @{exec_path} mr, + + network inet, + network netlink raw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback new file mode 100644 index 000000000..e1389f93a --- /dev/null +++ b/apparmor.d/groups/virt/cni-loopback @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /opt/cni/bin/loopback +profile loopback @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap new file mode 100644 index 000000000..8d7688441 --- /dev/null +++ b/apparmor.d/groups/virt/cni-portmap @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /opt/cni/bin/portmap +profile portmap @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index e279b4848..882ba9e09 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -7,38 +7,93 @@ abi , include @{exec_path} = /{usr/,}bin/containerd -profile containerd @{exec_path} { +profile containerd @{exec_path} flags=(attach_disconnected) { include + include + include + include + include + capability chown, capability dac_read_search, capability net_admin, capability sys_admin, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + + umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + signal (receive) set=term peer=dockerd, - @{exec_path} mr, - + @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, + /opt/cni/bin/loopback rPx, + /opt/cni/bin/portmap rPx, + /opt/cni/bin/bandwidth rPx, + /opt/cni/bin/calico rPx, + + /var/log/pods/**/[0-9]*.log w, + @{run}/calico/ w, + + @{run}/netns/ w, + @{run}/netns/cni-@{uuid} rw, + /var/lib/cni/results/cni-loopback-@{uuid}-lo l, + @{PROC}/@{pid}/task/@{tid}/ns/net rw, + /var/lib/containerd/{,**} rwk, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/docker/containerd/{,**} rwk, - @{run}/containerd/{,**} rwk, - @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, - @{run}/systemd/notify w, + @{run}/systemd/notify w, + @{run}/containerd/{,**} rwk, + @{run}/docker/containerd/{,**} rwk, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, + + # AppArmor within containers + @{sys}/kernel/security/apparmor/profiles r, + @{sys}/module/apparmor/parameters/enabled r, + /tmp/cri-containerd.apparmor.d[0-9]* rwl, + /{usr/,}{s,}bin/apparmor_parser rPx, + + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/[0-9]*/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/[0-9]*/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index c79af21c8..cfd13ccf5 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -15,6 +15,8 @@ profile mount-zfs @{exec_path} flags=(complain) { @{exec_path} mr, + /dev/pts/[0-9]* rw, + @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, @@ -24,12 +26,16 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, mount fstype=zfs -> /*/, + mount fstype=zfs -> /tmp/zfsmnt.*/, + mount fstype=zfs -> /tmp/zfsmnt.*/*/, umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount /, umount /*/, + umount /tmp/zfsmnt.*/, + umount /tmp/zfsmnt.*/*/, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs new file mode 100644 index 000000000..d3404b003 --- /dev/null +++ b/apparmor.d/profiles-s-z/zfs @@ -0,0 +1,18 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +profile zfs @{exec_path} flags=(complain) { + include + + capability sys_admin, + + @{exec_path} r, + + @{PROC}/@{pids}/mounts r, + + /dev/zfs rw, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool new file mode 100644 index 000000000..ccd94c565 --- /dev/null +++ b/apparmor.d/profiles-s-z/zpool @@ -0,0 +1,29 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +profile zpool @{exec_path} flags=(complain) { + include + include + + capability sys_admin, + + @{exec_path} rm, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + + /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, + + @{run}/blkid/blkid.tab rw, + @{run}/blkid/blkid.tab.old l, + @{run}/blkid/blkid.tab-* rwl, + + @{PROC}/@{pids}/mounts r, + + /dev/pts/[0-9]* rw, + /dev/zfs rw, + + include if exists +}