feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
21e8456383
commit
8730c09b96
47 changed files with 146 additions and 118 deletions
|
|
@ -13,15 +13,15 @@ profile cockpit-certificate-helper @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/id rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/openssl rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sscg rix,
|
||||
@{bin}/tr rix,
|
||||
@{sh_path} rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/id rix,
|
||||
@{bin}/mkdir rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/openssl rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/sscg rix,
|
||||
@{bin}/tr rix,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/cockpit/ws-certs.d/* w,
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{bin}/apparmor_parser rPx,
|
||||
@{bin}/containerd-shim-runc-v2 rPUx,
|
||||
@{bin}/containerd-shim-runc-v2 rPx,
|
||||
@{bin}/kmod rPx,
|
||||
@{bin}/unpigz rPUx,
|
||||
/{usr/,}{local/,}{s,}bin/zfs rPx,
|
||||
|
|
@ -71,8 +71,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
|
||||
/var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
|
||||
/var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
|
||||
/var/lib/containerd/{,**} rwk,
|
||||
/var/lib/containerd/tmpmounts/containerd-mount@{int}/** l,
|
||||
/var/lib/containerd/{,**} rwlk,
|
||||
/var/lib/docker/containerd/{,**} rwk,
|
||||
/var/lib/kubelet/seccomp/{,**} r,
|
||||
/var/lib/security-profiles-operator/{,**} r,
|
||||
|
|
|
|||
|
|
@ -27,19 +27,22 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 dgram,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount /tmp/containerd-mount@{int}/,
|
||||
mount /var/lib/docker/buildkit/**/,
|
||||
mount /var/lib/docker/overlay2/**/,
|
||||
mount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
mount options=(rw, bind) -> /run/docker/netns/*,
|
||||
mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
|
||||
mount options=(rw, rprivate) -> /.pivot_root@{int}/,
|
||||
mount options=(rw, rslave) -> /,
|
||||
mount /tmp/containerd-mount@{int}/,
|
||||
mount /var/lib/docker/buildkit/**/,
|
||||
mount /var/lib/docker/overlay2/**/,
|
||||
mount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/,
|
||||
mount options=(rw bind) -> /run/docker/netns/*,
|
||||
mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
|
||||
mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/,
|
||||
mount options=(rw rprivate) -> /.pivot_root@{int}/,
|
||||
mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/,
|
||||
mount options=(rw rslave) -> /,
|
||||
|
||||
remount /tmp/containerd-mount@{int10}/,
|
||||
remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
|
||||
|
|
@ -48,18 +51,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
|||
umount /run/docker/netns/*,
|
||||
umount /tmp/containerd-mount@{int}/,
|
||||
umount /var/lib/docker/buildkit/**/,
|
||||
umount /var/lib/docker/rootfs/**/,
|
||||
umount /var/lib/docker/overlay*/**/,
|
||||
umount /var/lib/docker/tmp/buildkit-mount@{int}/,
|
||||
|
||||
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
|
||||
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
|
||||
pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
|
||||
pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
|
||||
pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
|
||||
|
||||
ptrace (read) peer=docker-*,
|
||||
ptrace (read) peer=unconfined,
|
||||
ptrace read peer=docker-*,
|
||||
ptrace read peer=unconfined,
|
||||
|
||||
signal (send) set=int peer=docker-proxy,
|
||||
signal (send) set=kill peer=docker-*,
|
||||
signal (send) set=term peer=containerd,
|
||||
signal send set=int peer=docker-proxy,
|
||||
signal send set=kill peer=docker-*,
|
||||
signal send set=term peer=containerd,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue