feat(profile): virt: move privileged actions to subprofle.

2025-06-21 20:08:44 +02:00 · 2025-06-21 20:08:44 +02:00 · e222816d32
commit e222816d32
parent 24a9da865f
4 changed files with 49 additions and 9 deletions
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -87,10 +87,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  @{run}/nri/nri.sock rw,
  @{run}/systemd/notify w,

-        /tmp/cri-containerd.apparmor.d@{int} rwl,
-        /tmp/ctd-volume@{int}/{,**} rw,
-  owner @{tmp}/** rwkl,
-  owner /var/tmp/** rwkl,
+  /tmp/cri-containerd.apparmor.d@{int} rwl,
+  /tmp/ctd-volume@{int}/{,**} rw,

  @{sys}/fs/cgroup/kubepods/** r,
  @{sys}/kernel/security/apparmor/profiles r,
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -70,11 +70,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  @{lib}/docker/docker-init      rCx -> init,
  @{bin}/docker-proxy            rPx,
  @{bin}/git                     rCx -> git,
-  @{bin}/kmod                    rPx,
+  @{bin}/kmod                    rCx -> kmod,
  @{bin}/ps                      rPx,
  @{sbin}/runc                   rUx,
  @{bin}/unpigz                  rix,
-  @{sbin}/xtables-nft-multi      rix,
+  @{sbin}/xtables-nft-multi      rCx -> nft,
+  @{sbin}/xtables-legacy-multi   rCx -> nft,

  # Docker needs full access of the containers it manages.
  # TODO: should be in a sub profile started with pivot_root, not supported yet.
@ -128,13 +129,48 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/net/ip_tables_names r,
  owner @{PROC}/@{pid}/task/@{tid}/mountinfo r,
  owner @{PROC}/@{pid}/uid_map r,

  /dev/ r,
  /dev/**/ r,

+  profile nft flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    capability net_admin,
+    capability net_raw,
+
+    network inet raw,
+    network inet6 raw,
+    network netlink raw,
+
+    @{sbin}/xtables-nft-multi     rix,
+    @{sbin}/xtables-legacy-multi  rix,
+    @{bin}/kmod                   rPx -> dockerd//kmod,
+
+    @{PROC}/@{pid}/net/ip{,6}_tables_names r,
+    @{PROC}/sys/kernel/modprobe r,
+
+    @{run}/xtables.lock rwk,
+
+    include if exists <local/dockerd_nft>
+  }
+
+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    capability sys_module,
+
+    @{run}/xtables.lock r,
+
+    @{sys}/module/compression r,
+    @{sys}/module/*/initstate r,
+
+    include if exists <local/dockerd_kmod>
+  }
+
  profile init flags=(attach_disconnected) {
    include <abstractions/base>

--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -106,7 +106,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {

  @{sbin}/dmidecode                           rPx,
  @{sbin}/dnsmasq                             rPx,
-  @{bin}/kmod                                 rPx,
+  @{bin}/kmod                                 rCx -> kmod,
  @{sbin}/lvm                                 rPUx,
  @{bin}/mdevctl                              rPx,
  @{bin}/swtpm                                rPx,
@ -245,6 +245,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  audit deny @{sys}/kernel/security/apparmor/matching rwxl,
  audit deny @{sys}/kernel/security/apparmor/.* rwxl,

+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    include if exists <local/libvirtd_kmod>
+  }
+
  profile qemu_bridge_helper {
    include <abstractions/base>

--- a/apparmor.d/groups/virt/virt-aa-helper
+++ b/apparmor.d/groups/virt/virt-aa-helper
@ -45,7 +45,6 @@ profile virt-aa-helper @{exec_path} {
        @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/net/psched r,
  deny  @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/status r,

  # For gl enabled graphics
  /dev/dri/{,*} r,