diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 97bae8b7..5e8549ab 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -9,8 +9,10 @@ /dev/ r, # Regular disk/partition devices + /dev/block/ r, /dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]*[0-9]* rk, + /dev/disk/*/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, @@ -35,11 +37,14 @@ # LUKS/LVM (device-mapper) devices /dev/dm-[0-9]* rk, + /dev/mapper/* r, @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, # ZFS devices /dev/zd[0-9]* rk, + /dev/zvol/ r, + /dev/zvol/*/ r, @{sys}/devices/virtual/block/zd[0-9]*/ r, @{sys}/devices/virtual/block/zd[0-9]*/** r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index e279b484..b7729a7a 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -9,10 +9,13 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include + include + include capability dac_read_search, capability net_admin, capability sys_admin, + capability chown, signal (receive) set=term peer=dockerd, @@ -31,6 +34,7 @@ profile containerd @{exec_path} { @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, @{run}/systemd/notify w, @@ -40,5 +44,34 @@ profile containerd @{exec_path} { owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, + # Extracting container images + /usr/{local/,}bin/unpigz PUx, + + # zfs snapshotter + /{usr/,}{local/,}{s,}bin/zfs Px, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/001/ r, + deny /dev/bus/usb/002/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/0/ r, + deny /dev/cpu/1/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs new file mode 100644 index 00000000..dfe846c0 --- /dev/null +++ b/apparmor.d/profiles-s-z/zfs @@ -0,0 +1,17 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +profile zfs @{exec_path} flags=(complain) { + include + + capability sys_admin, + + @{exec_path} r, + + /dev/zfs rw, + @{PROC}/@{pids}/mounts r, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool new file mode 100644 index 00000000..67b73d7e --- /dev/null +++ b/apparmor.d/profiles-s-z/zpool @@ -0,0 +1,21 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +profile zpool @{exec_path} flags=(complain) { + include + include + + capability sys_admin, + + @{exec_path} r, + + /dev/zfs rw, + @{PROC}/@{pids}/mounts r, + + /dev/pts/[0-9]* rw, + /etc/hostid r, + + include if exists +}