# apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include include include capability dac_read_search, capability net_admin, capability sys_admin, capability chown, signal (receive) set=term peer=dockerd, @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, /etc/cni/ rw, /etc/cni/{,**} r, /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /var/lib/containerd/{,**} rwk, /var/lib/docker/containerd/{,**} rwk, @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, @{run}/systemd/notify w, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, owner @{PROC}/@{pids}/uid_map r, owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, # Extracting container images /usr/{local/,}bin/unpigz PUx, # zfs snapshotter /{usr/,}{local/,}{s,}bin/zfs Px, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, deny /dev/bsg/ r, deny /dev/bus/ r, deny /dev/bus/usb/ r, deny /dev/bus/usb/001/ r, deny /dev/bus/usb/002/ r, deny /dev/char/ r, deny /dev/cpu/ r, deny /dev/cpu/0/ r, deny /dev/cpu/1/ r, deny /dev/dma_heap/ r, deny /dev/dri/ r, deny /dev/dri/by-path/ r, deny /dev/hugepages/ r, deny /dev/input/ r, deny /dev/input/by-id/ r, deny /dev/input/by-path/ r, deny /dev/net/ r, deny /dev/snd/ r, deny /dev/snd/by-path/ r, deny /dev/vfio/ r, include if exists }