diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s new file mode 100644 index 00000000..9d7b02b2 --- /dev/null +++ b/apparmor.d/groups/virt/k3s @@ -0,0 +1,177 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{local/,}bin/k3s +profile k3s @{exec_path} flags=(complain) { + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability syslog, + capability sys_admin, + capability sys_resource, + + ptrace peer=@{profile_name}, + ptrace (read) peer=unconfined, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + + signal (send, receive) set=term, + + @{exec_path} mr, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/mount rPx, + /{usr/,}bin/systemd-run rix, + + # Does not seem to work. + # These are all symbolic links to xtables-nft-multi on Ubuntu 22.04 + /{usr/,}{s,}bin/iptables rPx -> xtables-nft-multi, + /etc/alternatives/iptables rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/iptables-legacy rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/xtables-nft-multi rPx, + + /{usr/,}{s,}bin/iptables-save rPx -> xtables-nft-multi, + /etc/alternatives/iptables-save rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/iptables-legacy-save rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/xtables-nft-multi rPx, + + /{usr/,}{s,}bin/iptables-restore rPx -> xtables-nft-multi, + /etc/alternatives/iptables-restore rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi, + /{usr/,}{s,}bin/xtables-nft-multi rPx, + + /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, + /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, + + /usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r, + /usr/share/mime/globs2 r, + + /etc/machine-id r, + /etc/rancher/k3s/{,**} r, + /etc/rancher/k3s/k3s.yaml rw, + /etc/rancher/node/password r, + + /var/lib/rancher/k3s/{,**} r, + /var/lib/rancher/k3s/agent/** rw, + /var/lib/rancher/k3s/server/** rw, + /var/lib/rancher/k3s/server/db/** rwk, + + # k3s want's to basically manage all directories and create some specific files. + /var/lib/kubelet/{,**/} rw, + /var/lib/kubelet/{cpu_manager_state,memory_manager_state} r, + /var/lib/kubelet/device-plugins/{,DEPRECATION,kubelet.sock} rw, + /var/lib/kubelet/pod-resources/{kubelet.sock,[0-9]*} rw, + /var/lib/kubelet/pods/@{uuid}/containers/*/[0-9a-f]* rw, + /var/lib/kubelet/pods/@{uuid}/etc-hosts rw, + /var/lib/kubelet/pods/@{uuid}/plugins/kubernetes.io~*/{,**} rw, + /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**} rw, + /var/lib/kubelet/pods/@{uuid}/**/ca.crt rw, + /var/lib/kubelet/pods/@{uuid}/**/namespace rw, + /var/lib/kubelet/pods/@{uuid}/**/token rw, + + /var/log/containers/ r, + /var/log/containers/** rw, + /var/log/rancher/{,**} r, + /var/log/kubelet/{,**} r, + /var/log/kubernetes/{,**} r, + /var/log/kubernetes/audit/** rw, + /var/log/pods/{,**} r, + /var/log/pods/{,**/} rw, + /var/log/pods/**/[0-9]*.log rw, + + @{HOME}/.kube/cache/discovery/{,**} rw, + @{HOME}/.kube/cache/http/[0-9a-z]* rw, + @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, + + @{run}/containerd/containerd.sock rw, + @{run}/systemd/notify w, + @{run}/systemd/private rw, + @{run}/systemd/resolve/resolv.conf r, + @{run}/nodeagent/ rw, + @{run}/xtables.lock rwk, + + /var/tmp/etilqs_* rw, + + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/cpuset r, + owner @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/net/ip_tables_names r, + owner @{PROC}/@{pids}/net/ipv6_route r, + owner @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pids}/oom_score_adj rw, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/uid_map r, + + @{PROC}/diskstats r, + @{PROC}/modules r, + @{PROC}/sys/fs/pipe-max-size r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/net/ipv4/conf/all/* rw, + @{PROC}/sys/net/ipv4/conf/default/* rw, + @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, + @{PROC}/sys/net/netfilter/* rw, + @{PROC}/sys/kernel/keys/* r, + @{PROC}/sys/kernel/panic rw, + @{PROC}/sys/kernel/panic_on_oom rw, + @{PROC}/sys/kernel/panic_on_oops rw, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/vm/overcommit_memory rw, + @{PROC}/sys/vm/panic_on_oom r, + + @{sys}/class/net/ r, + + @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r, + @{sys}/devices/system/edac/mc/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{sys}/devices/system/node/node[0-9]*/hugepages/ r, + @{sys}/devices/system/node/node[0-9]*/hugepages/hugepages-*/nr_hugepages r, + @{sys}/devices/system/cpu/cpu[0-9]*/topology/core_id r, + @{sys}/devices/system/cpu/cpu[0-9]*/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpu[0-9]*/cache/ r, + @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/{id,size,level,type,shared_cpu_map} r, + @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, + @{sys}/devices/virtual/dmi/id/product_uuid r, + + @{sys}/fs/cgroup/{,*,*/} r, + @{sys}/fs/cgroup/cgroup.subtree_control rw, + @{sys}/fs/cgroup/kubepods/{,**} rw, + @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/system.slice/k3s.service/* r, + @{sys}/fs/cgroup/user.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-[0-9]*.scope/{,**/} r, + + @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + + @{sys}/module/apparmor/parameters/enabled r, + + /dev/kmsg r, + + include if exists +}