diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 97bae8b7..5e8549ab 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -9,8 +9,10 @@ /dev/ r, # Regular disk/partition devices + /dev/block/ r, /dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]*[0-9]* rk, + /dev/disk/*/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, @@ -35,11 +37,14 @@ # LUKS/LVM (device-mapper) devices /dev/dm-[0-9]* rk, + /dev/mapper/* r, @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, # ZFS devices /dev/zd[0-9]* rk, + /dev/zvol/ r, + /dev/zvol/*/ r, @{sys}/devices/virtual/block/zd[0-9]*/ r, @{sys}/devices/virtual/block/zd[0-9]*/** r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 0a7c31ea..882ba9e0 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -11,25 +11,35 @@ profile containerd @{exec_path} flags=(attach_disconnected) { include include include + include + include + capability chown, capability dac_read_search, capability net_admin, capability sys_admin, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + + umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + signal (receive) set=term peer=dockerd, - # Pulling container images - network inet, - network inet6, - - @{exec_path} mr, - + @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /opt/cni/bin/loopback rPx, @@ -46,17 +56,18 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/task/@{tid}/ns/net rw, /var/lib/containerd/{,**} rwk, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/docker/containerd/{,**} rwk, - @{run}/containerd/{,**} rwk, - @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, - @{run}/systemd/notify w, + @{run}/systemd/notify w, + @{run}/containerd/{,**} rwk, + @{run}/docker/containerd/{,**} rwk, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, # AppArmor within containers @@ -65,5 +76,24 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /tmp/cri-containerd.apparmor.d[0-9]* rwl, /{usr/,}{s,}bin/apparmor_parser rPx, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/[0-9]*/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/[0-9]*/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index c79af21c..cfd13ccf 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -15,6 +15,8 @@ profile mount-zfs @{exec_path} flags=(complain) { @{exec_path} mr, + /dev/pts/[0-9]* rw, + @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, @@ -24,12 +26,16 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, mount fstype=zfs -> /*/, + mount fstype=zfs -> /tmp/zfsmnt.*/, + mount fstype=zfs -> /tmp/zfsmnt.*/*/, umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount /, umount /*/, + umount /tmp/zfsmnt.*/, + umount /tmp/zfsmnt.*/*/, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs new file mode 100644 index 00000000..d3404b00 --- /dev/null +++ b/apparmor.d/profiles-s-z/zfs @@ -0,0 +1,18 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +profile zfs @{exec_path} flags=(complain) { + include + + capability sys_admin, + + @{exec_path} r, + + @{PROC}/@{pids}/mounts r, + + /dev/zfs rw, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool new file mode 100644 index 00000000..ccd94c56 --- /dev/null +++ b/apparmor.d/profiles-s-z/zpool @@ -0,0 +1,29 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +profile zpool @{exec_path} flags=(complain) { + include + include + + capability sys_admin, + + @{exec_path} rm, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + + /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, + + @{run}/blkid/blkid.tab rw, + @{run}/blkid/blkid.tab.old l, + @{run}/blkid/blkid.tab-* rwl, + + @{PROC}/@{pids}/mounts r, + + /dev/pts/[0-9]* rw, + /dev/zfs rw, + + include if exists +}