From 3810c1668e97de337052da0ef4b4b08ae73e5642 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 5 Jul 2022 20:45:01 +0200 Subject: [PATCH 1/7] Basic ZFS support --- apparmor.d/abstractions/disks-read | 5 +++++ apparmor.d/groups/virt/containerd | 35 +++++++++++++++++++++++++++++- apparmor.d/profiles-s-z/zfs | 17 +++++++++++++++ apparmor.d/profiles-s-z/zpool | 21 ++++++++++++++++++ 4 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/zfs create mode 100644 apparmor.d/profiles-s-z/zpool diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 97bae8b7..5e8549ab 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -9,8 +9,10 @@ /dev/ r, # Regular disk/partition devices + /dev/block/ r, /dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]*[0-9]* rk, + /dev/disk/*/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, @@ -35,11 +37,14 @@ # LUKS/LVM (device-mapper) devices /dev/dm-[0-9]* rk, + /dev/mapper/* r, @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, # ZFS devices /dev/zd[0-9]* rk, + /dev/zvol/ r, + /dev/zvol/*/ r, @{sys}/devices/virtual/block/zd[0-9]*/ r, @{sys}/devices/virtual/block/zd[0-9]*/** r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index e279b484..b7729a7a 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -9,10 +9,13 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include + include + include capability dac_read_search, capability net_admin, capability sys_admin, + capability chown, signal (receive) set=term peer=dockerd, @@ -31,6 +34,7 @@ profile containerd @{exec_path} { @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, @{run}/systemd/notify w, @@ -40,5 +44,34 @@ profile containerd @{exec_path} { owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, + # Extracting container images + /usr/{local/,}bin/unpigz PUx, + + # zfs snapshotter + /{usr/,}{local/,}{s,}bin/zfs Px, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/001/ r, + deny /dev/bus/usb/002/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/0/ r, + deny /dev/cpu/1/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs new file mode 100644 index 00000000..dfe846c0 --- /dev/null +++ b/apparmor.d/profiles-s-z/zfs @@ -0,0 +1,17 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +profile zfs @{exec_path} flags=(complain) { + include + + capability sys_admin, + + @{exec_path} r, + + /dev/zfs rw, + @{PROC}/@{pids}/mounts r, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool new file mode 100644 index 00000000..67b73d7e --- /dev/null +++ b/apparmor.d/profiles-s-z/zpool @@ -0,0 +1,21 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +profile zpool @{exec_path} flags=(complain) { + include + include + + capability sys_admin, + + @{exec_path} r, + + /dev/zfs rw, + @{PROC}/@{pids}/mounts r, + + /dev/pts/[0-9]* rw, + /etc/hostid r, + + include if exists +} From 99c311e699000299290a81b503202b52e1c02de3 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 7 Jul 2022 14:48:32 +0200 Subject: [PATCH 2/7] Executable updates for zpool --- apparmor.d/profiles-s-z/zpool | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 67b73d7e..b4d23646 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -10,12 +10,15 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} r, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, /dev/zfs rw, @{PROC}/@{pids}/mounts r, /dev/pts/[0-9]* rw, /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, include if exists } From cc5d1a0e07e42e67287257c425b97087784af57c Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 14:43:19 +0200 Subject: [PATCH 3/7] Initramfs generation updates --- apparmor.d/profiles-m-r/mount-zfs | 4 ++++ apparmor.d/profiles-s-z/zpool | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index c79af21c..0f9cfb7b 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -24,12 +24,16 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, mount fstype=zfs -> /*/, + mount fstype=zfs -> /tmp/zfsmnt.*/ + mount fstype=zfs -> /tmp/zfsmnt.*/*/ umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount /, umount /*/, + umount fstype=zfs -> /tmp/zfsmnt.*/ + mount fstype=zfs -> /tmp/zfsmnt.*/*/ @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index b4d23646..5b0efb02 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -20,5 +20,9 @@ profile zpool @{exec_path} flags=(complain) { /etc/hostid r, @{PROC}/sys/kernel/spl/hostid r, + /run/blkid/blkid.tab wr, + /run/blkid/blkid.tab.old l, + /run/blkid/blkid.tab-* wrl, + include if exists } From da08ef6aa6100c3e1d7a1dd3e2e5ae428f8e6cf7 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 14:44:53 +0200 Subject: [PATCH 4/7] Typo --- apparmor.d/profiles-m-r/mount-zfs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 0f9cfb7b..07490bb5 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -24,16 +24,16 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, mount fstype=zfs -> /*/, - mount fstype=zfs -> /tmp/zfsmnt.*/ - mount fstype=zfs -> /tmp/zfsmnt.*/*/ + mount fstype=zfs -> /tmp/zfsmnt.*/, + mount fstype=zfs -> /tmp/zfsmnt.*/*/, umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount /, umount /*/, - umount fstype=zfs -> /tmp/zfsmnt.*/ - mount fstype=zfs -> /tmp/zfsmnt.*/*/ + umount /tmp/zfsmnt.*/, + umount /tmp/zfsmnt.*/*/, @{PROC}/@{pids}/mounts r, From c9b4423e45387012d2ceaa606b44ff4f5b3d7ea3 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 15:24:10 +0200 Subject: [PATCH 5/7] Allow mount-zfs access to pts --- apparmor.d/profiles-m-r/mount-zfs | 2 ++ apparmor.d/profiles-s-z/zpool | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 07490bb5..cfd13ccf 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -15,6 +15,8 @@ profile mount-zfs @{exec_path} flags=(complain) { @{exec_path} mr, + /dev/pts/[0-9]* rw, + @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 5b0efb02..bbd73e3d 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -9,7 +9,7 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, - @{exec_path} r, + @{exec_path} rm, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, From 59f8b893ffedc6292c738b3e6dce24aa06b73399 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 20:33:47 +0200 Subject: [PATCH 6/7] Cleanup profiles according to standards --- apparmor.d/groups/virt/containerd | 74 +++++++++++++++---------------- apparmor.d/profiles-s-z/zfs | 3 +- apparmor.d/profiles-s-z/zpool | 19 ++++---- 3 files changed, 47 insertions(+), 49 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index b7729a7a..f73d1b37 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -17,61 +17,57 @@ profile containerd @{exec_path} { capability sys_admin, capability chown, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + + umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + signal (receive) set=term peer=dockerd, - @{exec_path} mr, - + @{exec_path} rm, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /var/lib/containerd/{,**} rwk, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/docker/containerd/{,**} rwk, - @{run}/containerd/{,**} rwk, - @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, - mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, - @{run}/systemd/notify w, + @{run}/systemd/notify w, + @{run}/containerd/{,**} rwk, + @{run}/docker/containerd/{,**} rwk, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, - # Extracting container images - /usr/{local/,}bin/unpigz PUx, - - # zfs snapshotter - /{usr/,}{local/,}{s,}bin/zfs Px, - mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, - umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, - /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, - deny /dev/bsg/ r, - deny /dev/bus/ r, - deny /dev/bus/usb/ r, - deny /dev/bus/usb/001/ r, - deny /dev/bus/usb/002/ r, - deny /dev/char/ r, - deny /dev/cpu/ r, - deny /dev/cpu/0/ r, - deny /dev/cpu/1/ r, - deny /dev/dma_heap/ r, - deny /dev/dri/ r, - deny /dev/dri/by-path/ r, - deny /dev/hugepages/ r, - deny /dev/input/ r, - deny /dev/input/by-id/ r, - deny /dev/input/by-path/ r, - deny /dev/net/ r, - deny /dev/snd/ r, - deny /dev/snd/by-path/ r, - deny /dev/vfio/ r, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/[0-9]*/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/[0-9]*/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index dfe846c0..d3404b00 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -10,8 +10,9 @@ profile zfs @{exec_path} flags=(complain) { @{exec_path} r, - /dev/zfs rw, @{PROC}/@{pids}/mounts r, + /dev/zfs rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index bbd73e3d..dfa2f83e 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -11,18 +11,19 @@ profile zpool @{exec_path} flags=(complain) { @{exec_path} rm, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, - /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, - - /dev/zfs rw, + /{usr/,}bin/{,ba,da}sh rix, + + /etc/hostid r, + + @{run}/blkid/blkid.tab rw, + @{run}/blkid/blkid.tab.old l, + @{run}/blkid/blkid.tab-* rwl, + + @{PROC}/sys/kernel/spl/hostid r, @{PROC}/@{pids}/mounts r, + /dev/zfs rw, /dev/pts/[0-9]* rw, - /etc/hostid r, - @{PROC}/sys/kernel/spl/hostid r, - - /run/blkid/blkid.tab wr, - /run/blkid/blkid.tab.old l, - /run/blkid/blkid.tab-* wrl, include if exists } From d10f2c073c7d09d9d3ab55ae45b32fe6f16a90bf Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 13:01:31 +0200 Subject: [PATCH 7/7] Alphabetical sorting, group common options. --- apparmor.d/groups/virt/containerd | 8 ++++---- apparmor.d/profiles-s-z/zpool | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f73d1b37..9b1c578f 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -12,10 +12,10 @@ profile containerd @{exec_path} { include include + capability chown, capability dac_read_search, capability net_admin, capability sys_admin, - capability chown, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, @@ -24,11 +24,11 @@ profile containerd @{exec_path} { signal (receive) set=term peer=dockerd, - @{exec_path} rm, - /{usr/,}bin/unpigz rPUx, - /{usr/,}{local/,}{s,}bin/zfs rPx, + @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, /etc/cni/ rw, /etc/cni/{,**} r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index dfa2f83e..ccd94c56 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -10,20 +10,20 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} rm, - /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab-* rwl, - @{PROC}/sys/kernel/spl/hostid r, @{PROC}/@{pids}/mounts r, - /dev/zfs rw, /dev/pts/[0-9]* rw, + /dev/zfs rw, include if exists }