diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index 328d3e85..ac46f619 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -6,21 +6,20 @@ include profile calico @{exec_path} flags=(complain) { include + network inet, + network inet6, + @{exec_path} rix, @{exec_path}-ipam rix, - network inet, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /var/lib/calico/ r, - /var/lib/calico/** r, - /etc/cni/net.d/ r, - /etc/cni/net.d/** r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /var/lib/calico/{,**} r, + /etc/cni/net.d/{,**} r, /var/log/calico/cni/ r, - /var/log/calico/cni/cni.log wr, + /var/log/calico/cni/cni.log rw, - /run/calico/ipam.lock rwk, + @{run}/calico/ipam.lock rwk, include if exists } diff --git a/apparmor.d/groups/virt/cni b/apparmor.d/groups/virt/cni deleted file mode 100644 index 2a4039c0..00000000 --- a/apparmor.d/groups/virt/cni +++ /dev/null @@ -1,35 +0,0 @@ -abi , - -include - -profile loopback /{opt/,}{cni/,}bin/loopback { - include - - /opt/cni/bin/loopback rix, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} - -profile portmap /{opt/,}{cni/,}bin/portmap { - include - - /opt/cni/bin/portmap rix, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} - -profile bandwidth /{opt/,}{cni/,}bin/bandwidth { - include - - /opt/cni/bin/bandwidth rix, - - network inet, - network netlink raw, - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth new file mode 100644 index 00000000..9bf87266 --- /dev/null +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -0,0 +1,17 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/bandwidth +profile bandwidth @{exec_path} { + include + + {exec_path} rm, + + network inet, + network netlink raw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback new file mode 100644 index 00000000..d746669a --- /dev/null +++ b/apparmor.d/groups/virt/cni-loopback @@ -0,0 +1,14 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/loopback +profile loopback @{exec_path} { + include + + {exec_path} rm, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap new file mode 100644 index 00000000..ce24f2b4 --- /dev/null +++ b/apparmor.d/groups/virt/cni-portmap @@ -0,0 +1,14 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/portmap +profile portmap @{exec_path} { + include + + {exec_path} rm, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 982098f3..c40c454e 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -31,10 +31,10 @@ profile containerd @{exec_path} { /etc/cni/net.d/ rw, /etc/containerd/*.toml r, - /opt/cni/bin/loopback Px, - /opt/cni/bin/portmap Px, - /opt/cni/bin/bandwidth Px, - /opt/cni/bin/calico Px, + /opt/cni/bin/loopback rPx, + /opt/cni/bin/portmap rPx, + /opt/cni/bin/bandwidth rPx, + /opt/cni/bin/calico rPx, /var/log/pods/**/[0-9]*.log w, @{run}/calico/ w, @@ -65,4 +65,4 @@ profile containerd @{exec_path} { /usr/sbin/apparmor_parser Px, include if exists -} \ No newline at end of file +}