felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

LVM and general update (#68)

Browse source 
* Small fixes

* General update

* Add LVM

* Various small fixes

* Add profile

* Typo

* sbin to regex

* Date and time to extends

* Read cmdline

* Remove grep duplicate

* Small fixes

* Typo

* Permissions for warning scripts

* Add net_admin for multipath
This commit is contained in:
Jeroen 2022-09-06 23:01:17 +02:00 committed by GitHub
parent 1649b427f8
commit 9818daba5f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 237 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/virt/cni-calico
View file

@ -31,6 +31,9 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
/var/lib/calico/{,**} r,
/var/log/calico/cni/ r,
/var/log/calico/cni/cni.log rw,
/var/log/calico/cni/cni-@{date}T@{time}.[0-9]*.log rw,
/usr/share/mime/globs2 r,
@{run}/calico/ rw,
@{run}/calico/ipam.lock rwk,

15
apparmor.d/groups/virt/containerd
View file

@ -53,14 +53,15 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
/ r,
/opt/cni/bin/loopback rPx,
/opt/cni/bin/portmap rPx,
/opt/cni/bin/loopback rPx,
/opt/cni/bin/portmap rPx,
/opt/cni/bin/bandwidth rPx,
/opt/cni/bin/calico rPx,
/opt/cni/bin/calico rPx,
/etc/cni/ rw,
/etc/cni/{,**} r,
/etc/cni/net.d/ rw,
/etc/calico/ rw,
/etc/cni/ rw,
/etc/cni/{,**} r,
/etc/cni/net.d/ rw,
/etc/containerd/*.toml r,
/opt/containerd/{,**} rw,
@ -87,7 +88,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
owner /var/tmp/** rwkl,
owner /tmp/** rwkl,
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
/tmp/ctd-volume[0-9]*/{data,} rw,
/tmp/ctd-volume[0-9]*/{data/,} rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/profiles r,

2
apparmor.d/groups/virt/k3s
View file

@ -26,7 +26,7 @@ profile k3s @{exec_path} {
capability sys_resource,
ptrace peer=@{profile_name},
ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined},
# k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
# For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.