Cleanup profiles according to standards part 1/2

2025-01-18 08:58:15 +01:00 · 2022-07-09 20:46:59 +02:00 · 2022-07-09 20:46:59 +02:00 · 2ffa3d1339
commit 2ffa3d1339
parent 1556e62e10
6 changed files with 58 additions and 49 deletions
--- a/apparmor.d/groups/virt/calico
+++ b/apparmor.d/groups/virt/calico
@ -6,21 +6,20 @@ include <tunables/global>
 profile calico @{exec_path} flags=(complain) {
  include <abstractions/base>

+  network inet,
+  network inet6,
+
  @{exec_path} rix,
  @{exec_path}-ipam rix,
  
-  network inet,
-  
-  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  /var/lib/calico/ r,
-  /var/lib/calico/** r,
-  /etc/cni/net.d/ r,
-  /etc/cni/net.d/** r,
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  /var/lib/calico/{,**} r,
+  /etc/cni/net.d/{,**}  r,
    
  /var/log/calico/cni/ r,
-  /var/log/calico/cni/cni.log wr,
+  /var/log/calico/cni/cni.log rw,
  
-  /run/calico/ipam.lock rwk,
+  @{run}/calico/ipam.lock rwk,

  include if exists <local/calico>
 }
--- a/apparmor.d/groups/virt/cni
+++ b/apparmor.d/groups/virt/cni
@ -1,35 +0,0 @@
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile loopback /{opt/,}{cni/,}bin/loopback {
-  include <abstractions/base>
-
-  /opt/cni/bin/loopback rix,
-  
-  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
-  include if exists <local/loopback>
-}
-
-profile portmap /{opt/,}{cni/,}bin/portmap {
-  include <abstractions/base>
-
-  /opt/cni/bin/portmap rix,
-  
-  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
-  include if exists <local/portmap>
-}
-
-profile bandwidth /{opt/,}{cni/,}bin/bandwidth {
-  include <abstractions/base>
-
-  /opt/cni/bin/bandwidth rix,
-  
-  network inet,
-  network netlink raw,
-  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
-  include if exists <local/bandwidth>
-}
--- a/apparmor.d/groups/virt/cni-bandwidth
+++ b/apparmor.d/groups/virt/cni-bandwidth
@ -0,0 +1,17 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{opt/,}{cni/,}bin/bandwidth
+profile bandwidth @{exec_path} {
+  include <abstractions/base>
+
+  {exec_path} rm,
+  
+  network inet,
+  network netlink raw,
+  
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/bandwidth>
+}
--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@ -0,0 +1,14 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{opt/,}{cni/,}bin/loopback
+profile loopback @{exec_path} {
+  include <abstractions/base>
+
+  {exec_path} rm,
+  
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/loopback>
+}
--- a/apparmor.d/groups/virt/cni-portmap
+++ b/apparmor.d/groups/virt/cni-portmap
@ -0,0 +1,14 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{opt/,}{cni/,}bin/portmap
+profile portmap @{exec_path} {
+  include <abstractions/base>
+
+  {exec_path} rm,
+  
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/portmap>
+}
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -31,10 +31,10 @@ profile containerd @{exec_path} {
  /etc/cni/net.d/ rw,
  /etc/containerd/*.toml r,

-  /opt/cni/bin/loopback Px,
-  /opt/cni/bin/portmap Px,
-  /opt/cni/bin/bandwidth Px,
-  /opt/cni/bin/calico Px,
+  /opt/cni/bin/loopback  rPx,
+  /opt/cni/bin/portmap   rPx,
+  /opt/cni/bin/bandwidth rPx,
+  /opt/cni/bin/calico    rPx,

  /var/log/pods/**/[0-9]*.log w,
  @{run}/calico/ w,
@ -65,4 +65,4 @@ profile containerd @{exec_path} {
  /usr/sbin/apparmor_parser Px,

  include if exists <local/containerd>
-}
+}