Merge branch 'master' into feat/cni

2024-11-15 07:54:17 +01:00 · 2022-07-10 13:41:50 +01:00 · 2022-07-10 13:41:50 +01:00 · 40d8c68f22
commit 40d8c68f22
parent 6e1e7dc32b d10f2c073c
5 changed files with 102 additions and 14 deletions
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@ -9,8 +9,10 @@
  /dev/ r,

  # Regular disk/partition devices
+  /dev/block/ r,
  /dev/{s,v}d[a-z]* rk,
  /dev/{s,v}d[a-z]*[0-9]* rk,
+  /dev/disk/*/ r,
  @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
  @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r,
  @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
@ -35,11 +37,14 @@

  # LUKS/LVM (device-mapper) devices
  /dev/dm-[0-9]* rk,
+  /dev/mapper/* r,
  @{sys}/devices/virtual/block/dm-[0-9]*/ r,
  @{sys}/devices/virtual/block/dm-[0-9]*/** r,

  # ZFS devices
  /dev/zd[0-9]* rk,
+  /dev/zvol/ r,
+  /dev/zvol/*/ r,
  @{sys}/devices/virtual/block/zd[0-9]*/ r,
  @{sys}/devices/virtual/block/zd[0-9]*/** r,

--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -11,25 +11,35 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/ssl_certs>
  include <abstractions/nameservice-strict>
+  include <abstractions/disks-read>
+  include <abstractions/devices-usb>

+  capability chown,
  capability dac_read_search,
  capability net_admin,
  capability sys_admin,

+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
+  mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
+  mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+
+  umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+
  signal (receive) set=term peer=dockerd,

-  # Pulling container images
-  network inet,
-  network inet6,
-
-  @{exec_path} mr,
-
+  @{exec_path}                        mr,
  /{usr/,}bin/containerd-shim-runc-v2 rPUx,
  /{usr/,}bin/kmod                    rPx,
+  /{usr/,}bin/unpigz                  rPUx,
+  /{usr/,}{local/,}{s,}bin/zfs        rPx,

-  /etc/cni/ rw,
-  /etc/cni/{,**} r,
-  /etc/cni/net.d/ rw,
+  /etc/cni/              rw,
+  /etc/cni/{,**}         r,
+  /etc/cni/net.d/        rw,
  /etc/containerd/*.toml r,

  /opt/cni/bin/loopback  rPx,
@ -46,17 +56,18 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  @{PROC}/@{pid}/task/@{tid}/ns/net rw,

  /var/lib/containerd/{,**} rwk,
+  /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l,
  /var/lib/docker/containerd/{,**} rwk,
-  @{run}/containerd/{,**} rwk,
-  @{run}/docker/containerd/{,**} rwk,
  /opt/containerd/{,**} rw,

-  @{run}/systemd/notify w,
+  @{run}/systemd/notify          w,
+  @{run}/containerd/{,**}        rwk,
+  @{run}/docker/containerd/{,**} rwk,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

-  owner @{PROC}/@{pids}/uid_map r,
-  owner @{PROC}/@{pids}/mountinfo r,
+  owner @{PROC}/@{pids}/uid_map        r,
+  owner @{PROC}/@{pids}/mountinfo      r,
        @{PROC}/sys/net/core/somaxconn r,
  
  # AppArmor within containers
@ -65,5 +76,24 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  /tmp/cri-containerd.apparmor.d[0-9]* rwl,
  /{usr/,}{s,}bin/apparmor_parser  rPx,

+  deny /dev/bsg/            r,
+  deny /dev/bus/            r,
+  deny /dev/bus/usb/        r,
+  deny /dev/bus/usb/[0-9]*/ r,
+  deny /dev/char/           r,
+  deny /dev/cpu/            r,
+  deny /dev/cpu/[0-9]*/     r,
+  deny /dev/dma_heap/       r,
+  deny /dev/dri/            r,
+  deny /dev/dri/by-path/    r,
+  deny /dev/hugepages/      r,
+  deny /dev/input/          r,
+  deny /dev/input/by-id/    r,
+  deny /dev/input/by-path/  r,
+  deny /dev/net/            r,
+  deny /dev/snd/            r,
+  deny /dev/snd/by-path/    r,
+  deny /dev/vfio/           r,
+
  include if exists <local/containerd>
 }
--- a/apparmor.d/profiles-m-r/mount-zfs
+++ b/apparmor.d/profiles-m-r/mount-zfs
@ -15,6 +15,8 @@ profile mount-zfs @{exec_path} flags=(complain) {

  @{exec_path} mr,

+  /dev/pts/[0-9]* rw,
+
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,
@ -24,12 +26,16 @@ profile mount-zfs @{exec_path} flags=(complain) {
  mount fstype=zfs -> @{MOUNTS}/*/,
  mount fstype=zfs -> /,
  mount fstype=zfs -> /*/,
+  mount fstype=zfs -> /tmp/zfsmnt.*/,
+  mount fstype=zfs -> /tmp/zfsmnt.*/*/,

  umount @{MOUNTDIRS}/,
  umount @{MOUNTS}/,
  umount @{MOUNTS}/*/,
  umount /,
  umount /*/,
+  umount /tmp/zfsmnt.*/,
+  umount /tmp/zfsmnt.*/*/,

  @{PROC}/@{pids}/mounts r,

--- a/apparmor.d/profiles-s-z/zfs
+++ b/apparmor.d/profiles-s-z/zfs
@ -0,0 +1,18 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs
+profile zfs @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  
+  capability sys_admin,
+  
+  @{exec_path} r,
+  
+  @{PROC}/@{pids}/mounts r,
+
+  /dev/zfs rw,
+
+  include if exists <local/zfs>
+}
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@ -0,0 +1,29 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool
+profile zpool @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/disks-read>
+
+  capability sys_admin,
+
+  @{exec_path} rm,
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
+
+  /etc/hostid r,
+  @{PROC}/sys/kernel/spl/hostid r,
+
+  @{run}/blkid/blkid.tab rw,
+  @{run}/blkid/blkid.tab.old l,
+  @{run}/blkid/blkid.tab-* rwl,
+
+  @{PROC}/@{pids}/mounts r,
+
+  /dev/pts/[0-9]* rw,
+  /dev/zfs rw,
+
+  include if exists <local/zfs>
+}