LVM and general update (#68)
* Small fixes * General update * Add LVM * Various small fixes * Add profile * Typo * sbin to regex * Date and time to extends * Read cmdline * Remove grep duplicate * Small fixes * Typo * Permissions for warning scripts * Add net_admin for multipath
This commit is contained in:
Jeroen
GitHub
parent
1649b427f8
commit
9818daba5f
19 changed files with 237 additions and 49 deletions
|
|
@ -39,7 +39,7 @@ profile pulseaudio @{exec_path} {
|
|||
member={GetState,AddService,AddServiceSubtype,Commit}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=session path=/Client0/EntryGroup[0-9]*
|
||||
dbus receive bus=system path=/Client0/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member=StateChanged
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
|
@ -102,8 +102,8 @@ profile pulseaudio @{exec_path} {
|
|||
member=Get
|
||||
peer=(name=/org/freedesktop/hostname[0-9]),
|
||||
|
||||
dbus send bus=system path=/org.freedesktop.hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Prope
|
||||
dbus send bus=system path=/org/freedesktop/hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=/org/freedesktop/hostname[0-9]),
|
||||
|
||||
|
|
|
|||
|
|
@ -31,6 +31,9 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/calico/{,**} r,
|
||||
/var/log/calico/cni/ r,
|
||||
/var/log/calico/cni/cni.log rw,
|
||||
/var/log/calico/cni/cni-@{date}T@{time}.[0-9]*.log rw,
|
||||
|
||||
/usr/share/mime/globs2 r,
|
||||
|
||||
@{run}/calico/ rw,
|
||||
@{run}/calico/ipam.lock rwk,
|
||||
|
|
|
|||
|
|
@ -53,14 +53,15 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/ r,
|
||||
|
||||
/opt/cni/bin/loopback rPx,
|
||||
/opt/cni/bin/portmap rPx,
|
||||
/opt/cni/bin/loopback rPx,
|
||||
/opt/cni/bin/portmap rPx,
|
||||
/opt/cni/bin/bandwidth rPx,
|
||||
/opt/cni/bin/calico rPx,
|
||||
/opt/cni/bin/calico rPx,
|
||||
|
||||
/etc/cni/ rw,
|
||||
/etc/cni/{,**} r,
|
||||
/etc/cni/net.d/ rw,
|
||||
/etc/calico/ rw,
|
||||
/etc/cni/ rw,
|
||||
/etc/cni/{,**} r,
|
||||
/etc/cni/net.d/ rw,
|
||||
/etc/containerd/*.toml r,
|
||||
|
||||
/opt/containerd/{,**} rw,
|
||||
|
|
@ -87,7 +88,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||
owner /var/tmp/** rwkl,
|
||||
owner /tmp/** rwkl,
|
||||
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
|
||||
/tmp/ctd-volume[0-9]*/{data,} rw,
|
||||
/tmp/ctd-volume[0-9]*/{data/,} rw,
|
||||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
@{sys}/kernel/security/apparmor/profiles r,
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile k3s @{exec_path} {
|
|||
capability sys_resource,
|
||||
|
||||
ptrace peer=@{profile_name},
|
||||
ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
|
||||
ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined},
|
||||
|
||||
# k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
|
||||
# For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue