feat(profile): virt: move privileged actions to subprofle.

apparmor.d/groups/virt/containerd

@@ -89,8 +89,6 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
   /tmp/cri-containerd.apparmor.d@{int} rwl,
   /tmp/ctd-volume@{int}/{,**} rw,
-  owner @{tmp}/** rwkl,
-  owner /var/tmp/** rwkl,
 
   @{sys}/fs/cgroup/kubepods/** r,
   @{sys}/kernel/security/apparmor/profiles r,

apparmor.d/groups/virt/dockerd

@@ -70,11 +70,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   @{lib}/docker/docker-init      rCx -> init,
   @{bin}/docker-proxy            rPx,
   @{bin}/git                     rCx -> git,
-  @{bin}/kmod                    rPx,
+  @{bin}/kmod                    rCx -> kmod,
   @{bin}/ps                      rPx,
   @{sbin}/runc                   rUx,
   @{bin}/unpigz                  rix,
-  @{sbin}/xtables-nft-multi      rix,
+  @{sbin}/xtables-nft-multi      rCx -> nft,
+  @{sbin}/xtables-legacy-multi   rCx -> nft,
 
   # Docker needs full access of the containers it manages.
   # TODO: should be in a sub profile started with pivot_root, not supported yet.
@@ -128,13 +129,48 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/net/ip_tables_names r,
   owner @{PROC}/@{pid}/task/@{tid}/mountinfo r,
   owner @{PROC}/@{pid}/uid_map r,
 
   /dev/ r,
   /dev/**/ r,
 
+  profile nft flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    capability net_admin,
+    capability net_raw,
+
+    network inet raw,
+    network inet6 raw,
+    network netlink raw,
+
+    @{sbin}/xtables-nft-multi     rix,
+    @{sbin}/xtables-legacy-multi  rix,
+    @{bin}/kmod                   rPx -> dockerd//kmod,
+
+    @{PROC}/@{pid}/net/ip{,6}_tables_names r,
+    @{PROC}/sys/kernel/modprobe r,
+
+    @{run}/xtables.lock rwk,
+
+    include if exists <local/dockerd_nft>
+  }
+
+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    capability sys_module,
+
+    @{run}/xtables.lock r,
+
+    @{sys}/module/compression r,
+    @{sys}/module/*/initstate r,
+
+    include if exists <local/dockerd_kmod>
+  }
+
   profile init flags=(attach_disconnected) {
     include <abstractions/base>
 

apparmor.d/groups/virt/libvirtd

@@ -106,7 +106,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   @{sbin}/dmidecode                           rPx,
   @{sbin}/dnsmasq                             rPx,
-  @{bin}/kmod                                 rPx,
+  @{bin}/kmod                                 rCx -> kmod,
   @{sbin}/lvm                                 rPUx,
   @{bin}/mdevctl                              rPx,
   @{bin}/swtpm                                rPx,
@@ -245,6 +245,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   audit deny @{sys}/kernel/security/apparmor/matching rwxl,
   audit deny @{sys}/kernel/security/apparmor/.* rwxl,
 
+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    include if exists <local/libvirtd_kmod>
+  }
+
   profile qemu_bridge_helper {
     include <abstractions/base>
 

apparmor.d/groups/virt/virt-aa-helper

@@ -45,7 +45,6 @@ profile virt-aa-helper @{exec_path} {
         @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pid}/net/psched r,
   deny  @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/status r,
 
   # For gl enabled graphics
   /dev/dri/{,*} r,