mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Allow containerd to (u)mount cni devices, and loopback to access them.

Browse Source
This commit is contained in:
Jeroen Rijken 2022-07-10 15:10:34 +02:00 committed by Alex
parent 6c8e50534b
commit 02ad72b024
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apparmor.d/groups/virt/cni-loopback
View File

@ -11,6 +11,9 @@ profile cni-loopback @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,
@{run}/netns/ r,
@{run}/netns/cni-@{uuid} rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

2
apparmor.d/groups/virt/containerd
View File

@ -26,8 +26,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
umount @{run}/netns/cni-@{uuid},
signal (receive) set=term peer=dockerd, signal (receive) set=term peer=dockerd,