# apparmor.d - Full set of apparmor profiles # Copyright (C) 2021-2024 Alexandre Pujol # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/containerd profile containerd @{exec_path} flags=(attach_disconnected) { include include include include include capability chown, capability dac_read_search, capability dac_override, capability fsetid, capability fowner, capability mknod, capability net_admin, capability setfcap, capability sys_admin, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/, mount -> /var/lib/containerd/tmpmounts/containerd-mount@{int}/, mount -> /tmp/ctd-volume@{int}/, mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid}, umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/, umount /var/lib/containerd/tmpmounts/containerd-mount@{int}/, umount /tmp/ctd-volume@{int}/, umount @{run}/netns/cni-@{uuid}, signal (receive) set=term peer={dockerd,k3s}, signal (send) set=kill peer={containerd-shim-runc-v2,cni-calico}, @{exec_path} mr, @{bin}/apparmor_parser rPx, @{bin}/containerd-shim-runc-v2 rPUx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, /{usr/,}{local/,}{s,}bin/zfs rPx, / r, /opt/cni/bin/loopback rPx, /opt/cni/bin/portmap rPx, /opt/cni/bin/bandwidth rPx, /opt/cni/bin/calico rPx, /etc/calico/ rw, /etc/cni/ rw, /etc/cni/{,**} r, /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /opt/containerd/{,**} rw, /var/lib/cni/{,**/} w, /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl, /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl, /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount@{int}/** l, /var/lib/docker/containerd/{,**} rwk, /var/lib/kubelet/seccomp/{,**} r, /var/lib/security-profiles-operator/{,**} r, /var/log/pods/**/@{int}.log{,*} w, @{run}/calico/ w, @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, @{run}/systemd/notify w, /tmp/cri-containerd.apparmor.d@{int} rwl, /tmp/ctd-volume@{int}/{,**} rw, owner @{tmp}/** rwkl, owner /var/tmp/** rwkl, @{sys}/fs/cgroup/kubepods/** r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/uid_map r, /dev/bsg/ r, /dev/bus/ r, /dev/char/ r, /dev/cpu/ r, /dev/cpu/@{int}/ r, /dev/dma_heap/ r, /dev/dri/ r, /dev/dri/by-path/ r, /dev/hugepages/ r, /dev/input/ r, /dev/input/by-id/ r, /dev/input/by-path/ r, /dev/net/ r, /dev/snd/ r, /dev/snd/by-path/ r, /dev/vfio/ r, include if exists } # vim:syntax=apparmor