mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
Allow containerd to (u)mount cni devices, and loopback to access them.
This commit is contained in:
parent
6c8e50534b
commit
02ad72b024
@ -12,6 +12,9 @@ profile cni-loopback @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{run}/netns/ r,
|
||||||
|
@{run}/netns/cni-@{uuid} rw,
|
||||||
|
|
||||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
|
|
||||||
include if exists <local/cni-loopback>
|
include if exists <local/cni-loopback>
|
||||||
|
@ -26,8 +26,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
|
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
|
||||||
mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||||
|
mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
|
||||||
|
|
||||||
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||||
|
umount @{run}/netns/cni-@{uuid},
|
||||||
|
|
||||||
signal (receive) set=term peer=dockerd,
|
signal (receive) set=term peer=dockerd,
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user