mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Basic ZFS support

Browse source
This commit is contained in:
Jeroen Rijken 2022-07-05 20:45:01 +02:00 committed by Alex
parent 4a37cd1149
commit 3810c1668e
4 changed files with 77 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/abstractions/disks-read
View file

@ -9,8 +9,10 @@
/dev/ r,
# Regular disk/partition devices
/dev/block/ r,
/dev/{s,v}d[a-z]* rk,
/dev/{s,v}d[a-z]*[0-9]* rk,
/dev/disk/*/ r,
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
@ -35,11 +37,14 @@
# LUKS/LVM (device-mapper) devices
/dev/dm-[0-9]* rk,
/dev/mapper/* r,
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZFS devices
/dev/zd[0-9]* rk,
/dev/zvol/ r,
/dev/zvol/*/ r,
@{sys}/devices/virtual/block/zd[0-9]*/ r,
@{sys}/devices/virtual/block/zd[0-9]*/** r,

35
apparmor.d/groups/virt/containerd
View file

@ -9,10 +9,13 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/containerd
profile containerd @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
include <abstractions/devices-usb>
capability dac_read_search,
capability net_admin,
capability sys_admin,
capability chown,
signal (receive) set=term peer=dockerd,
@ -31,6 +34,7 @@ profile containerd @{exec_path} {
@{run}/containerd/{,**} rwk,
@{run}/docker/containerd/{,**} rwk,
/opt/containerd/{,**} rw,
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
@{run}/systemd/notify w,
@ -40,5 +44,34 @@ profile containerd @{exec_path} {
owner @{PROC}/@{pids}/mountinfo r,
@{PROC}/sys/net/core/somaxconn r,
# Extracting container images
/usr/{local/,}bin/unpigz PUx,
# zfs snapshotter
/{usr/,}{local/,}{s,}bin/zfs Px,
mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
/var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l,
deny /dev/bsg/ r,
deny /dev/bus/ r,
deny /dev/bus/usb/ r,
deny /dev/bus/usb/001/ r,
deny /dev/bus/usb/002/ r,
deny /dev/char/ r,
deny /dev/cpu/ r,
deny /dev/cpu/0/ r,
deny /dev/cpu/1/ r,
deny /dev/dma_heap/ r,
deny /dev/dri/ r,
deny /dev/dri/by-path/ r,
deny /dev/hugepages/ r,
deny /dev/input/ r,
deny /dev/input/by-id/ r,
deny /dev/input/by-path/ r,
deny /dev/net/ r,
deny /dev/snd/ r,
deny /dev/snd/by-path/ r,
deny /dev/vfio/ r,
include if exists <local/containerd>
}
}

17
apparmor.d/profiles-s-z/zfs Normal file
View file

@ -0,0 +1,17 @@
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs
profile zfs @{exec_path} flags=(complain) {
include <abstractions/base>
capability sys_admin,
@{exec_path} r,
/dev/zfs rw,
@{PROC}/@{pids}/mounts r,
include if exists <local/zfs>
}

21
apparmor.d/profiles-s-z/zpool Normal file
View file

@ -0,0 +1,21 @@
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool
profile zpool @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} r,
/dev/zfs rw,
@{PROC}/@{pids}/mounts r,
/dev/pts/[0-9]* rw,
/etc/hostid r,
include if exists <local/zfs>
}