From 9ea910d1a0e7e48f41522ef5873389091eb31da2 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Wed, 6 Jul 2022 20:49:52 +0200 Subject: [PATCH 01/17] Add CNI for containerd --- apparmor.d/groups/virt/calico | 26 +++++++++++++++++++++++ apparmor.d/groups/virt/cni | 35 +++++++++++++++++++++++++++++++ apparmor.d/groups/virt/containerd | 18 ++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 apparmor.d/groups/virt/calico create mode 100644 apparmor.d/groups/virt/cni diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico new file mode 100644 index 00000000..328d3e85 --- /dev/null +++ b/apparmor.d/groups/virt/calico @@ -0,0 +1,26 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/calico +profile calico @{exec_path} flags=(complain) { + include + + @{exec_path} rix, + @{exec_path}-ipam rix, + + network inet, + + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /var/lib/calico/ r, + /var/lib/calico/** r, + /etc/cni/net.d/ r, + /etc/cni/net.d/** r, + + /var/log/calico/cni/ r, + /var/log/calico/cni/cni.log wr, + + /run/calico/ipam.lock rwk, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni b/apparmor.d/groups/virt/cni new file mode 100644 index 00000000..2a4039c0 --- /dev/null +++ b/apparmor.d/groups/virt/cni @@ -0,0 +1,35 @@ +abi , + +include + +profile loopback /{opt/,}{cni/,}bin/loopback { + include + + /opt/cni/bin/loopback rix, + + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} + +profile portmap /{opt/,}{cni/,}bin/portmap { + include + + /opt/cni/bin/portmap rix, + + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} + +profile bandwidth /{opt/,}{cni/,}bin/bandwidth { + include + + /opt/cni/bin/bandwidth rix, + + network inet, + network netlink raw, + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index e279b484..1ae77b55 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include + include capability dac_read_search, capability net_admin, @@ -16,6 +17,10 @@ profile containerd @{exec_path} { signal (receive) set=term peer=dockerd, + # Pulling container images + network inet, + network inet6, + @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, @@ -26,6 +31,19 @@ profile containerd @{exec_path} { /etc/cni/net.d/ rw, /etc/containerd/*.toml r, + /opt/cni/bin/loopback Px, + /opt/cni/bin/portmap Px, + /opt/cni/bin/bandwidth Px, + /opt/cni/bin/calico Px, + + /var/log/pods/**/[0-9]*.log w, + @{run}/calico/ w, + + @{run}/netns/ w, + @{run}/netns/cni-@{uuid} rw, + /var/lib/cni/results/cni-loopback-@{uuid}-lo l, + @{PROC}/@{pid}/task/[0-9]*/ns/net rw, + /var/lib/containerd/{,**} rwk, /var/lib/docker/containerd/{,**} rwk, @{run}/containerd/{,**} rwk, From 3d63f9e21e018082b84283f1c0c5b6c31d859299 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Wed, 6 Jul 2022 20:50:14 +0200 Subject: [PATCH 02/17] Add AppArmor support to containerd --- apparmor.d/groups/virt/containerd | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 1ae77b55..982098f3 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -57,6 +57,12 @@ profile containerd @{exec_path} { owner @{PROC}/@{pids}/uid_map r, owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, + + # AppArmor within containers + @{sys}/kernel/security/apparmor/profiles r, + @{sys}/module/apparmor/parameters/enabled r, + /tmp/cri-containerd.apparmor.d[0-9]* rwl, + /usr/sbin/apparmor_parser Px, include if exists } \ No newline at end of file From 1556e62e10fcefb4a6be4891df15ccc60ecbc48f Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Wed, 6 Jul 2022 20:50:35 +0200 Subject: [PATCH 03/17] Update build instructions for Ubuntu --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 1b082b24..97c37edb 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it * An `apparmor` based linux distribution. * Base profiles and abstractions shipped with AppArmor are supposed to be installed. +* Go +* rsync **Archlinux** @@ -65,6 +67,8 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ Build using standard Debian package build tools: ```sh +sudo apt install debhelper ubuntu-dev-tools config-package-dev golang-go apparmor-profiles rsync + dpkg-buildpackage -b -d --no-sign sudo dpkg -i ../apparmor.d_*_all.deb ``` From 2ffa3d133931a4d7fe863fec1242250a010591d8 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 20:46:59 +0200 Subject: [PATCH 04/17] Cleanup profiles according to standards part 1/2 --- apparmor.d/groups/virt/calico | 17 +++++++------- apparmor.d/groups/virt/cni | 35 ---------------------------- apparmor.d/groups/virt/cni-bandwidth | 17 ++++++++++++++ apparmor.d/groups/virt/cni-loopback | 14 +++++++++++ apparmor.d/groups/virt/cni-portmap | 14 +++++++++++ apparmor.d/groups/virt/containerd | 10 ++++---- 6 files changed, 58 insertions(+), 49 deletions(-) delete mode 100644 apparmor.d/groups/virt/cni create mode 100644 apparmor.d/groups/virt/cni-bandwidth create mode 100644 apparmor.d/groups/virt/cni-loopback create mode 100644 apparmor.d/groups/virt/cni-portmap diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index 328d3e85..ac46f619 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -6,21 +6,20 @@ include profile calico @{exec_path} flags=(complain) { include + network inet, + network inet6, + @{exec_path} rix, @{exec_path}-ipam rix, - network inet, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /var/lib/calico/ r, - /var/lib/calico/** r, - /etc/cni/net.d/ r, - /etc/cni/net.d/** r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /var/lib/calico/{,**} r, + /etc/cni/net.d/{,**} r, /var/log/calico/cni/ r, - /var/log/calico/cni/cni.log wr, + /var/log/calico/cni/cni.log rw, - /run/calico/ipam.lock rwk, + @{run}/calico/ipam.lock rwk, include if exists } diff --git a/apparmor.d/groups/virt/cni b/apparmor.d/groups/virt/cni deleted file mode 100644 index 2a4039c0..00000000 --- a/apparmor.d/groups/virt/cni +++ /dev/null @@ -1,35 +0,0 @@ -abi , - -include - -profile loopback /{opt/,}{cni/,}bin/loopback { - include - - /opt/cni/bin/loopback rix, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} - -profile portmap /{opt/,}{cni/,}bin/portmap { - include - - /opt/cni/bin/portmap rix, - - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} - -profile bandwidth /{opt/,}{cni/,}bin/bandwidth { - include - - /opt/cni/bin/bandwidth rix, - - network inet, - network netlink raw, - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - include if exists -} diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth new file mode 100644 index 00000000..9bf87266 --- /dev/null +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -0,0 +1,17 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/bandwidth +profile bandwidth @{exec_path} { + include + + {exec_path} rm, + + network inet, + network netlink raw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback new file mode 100644 index 00000000..d746669a --- /dev/null +++ b/apparmor.d/groups/virt/cni-loopback @@ -0,0 +1,14 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/loopback +profile loopback @{exec_path} { + include + + {exec_path} rm, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap new file mode 100644 index 00000000..ce24f2b4 --- /dev/null +++ b/apparmor.d/groups/virt/cni-portmap @@ -0,0 +1,14 @@ +abi , + +include + +@{exec_path} = /{opt/,}{cni/,}bin/portmap +profile portmap @{exec_path} { + include + + {exec_path} rm, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 982098f3..c40c454e 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -31,10 +31,10 @@ profile containerd @{exec_path} { /etc/cni/net.d/ rw, /etc/containerd/*.toml r, - /opt/cni/bin/loopback Px, - /opt/cni/bin/portmap Px, - /opt/cni/bin/bandwidth Px, - /opt/cni/bin/calico Px, + /opt/cni/bin/loopback rPx, + /opt/cni/bin/portmap rPx, + /opt/cni/bin/bandwidth rPx, + /opt/cni/bin/calico rPx, /var/log/pods/**/[0-9]*.log w, @{run}/calico/ w, @@ -65,4 +65,4 @@ profile containerd @{exec_path} { /usr/sbin/apparmor_parser Px, include if exists -} \ No newline at end of file +} From edcd1304320ec91a74fd2c62bda78b894c8d0326 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 20:53:21 +0200 Subject: [PATCH 05/17] Calico profile cleanup. --- apparmor.d/groups/virt/calico | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index ac46f619..313959fb 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -9,17 +9,18 @@ profile calico @{exec_path} flags=(complain) { network inet, network inet6, - @{exec_path} rix, + @{exec_path} rm, @{exec_path}-ipam rix, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /var/lib/calico/{,**} r, /etc/cni/net.d/{,**} r, - + + /var/lib/calico/{,**} r, /var/log/calico/cni/ r, /var/log/calico/cni/cni.log rw, @{run}/calico/ipam.lock rwk, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } From 8413f6b9e6c377bfcdc674257e9090ba0f934ebd Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 11:51:15 +0200 Subject: [PATCH 06/17] Allow containerd to access SSL certs for pulling container images. --- apparmor.d/groups/virt/containerd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index c40c454e..c44b9300 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include + include include capability dac_read_search, From 7524bfa343934430bc5144ee18ec81c9811139f3 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 12:43:52 +0200 Subject: [PATCH 07/17] Syntax fixes --- apparmor.d/groups/virt/cni-bandwidth | 2 +- apparmor.d/groups/virt/cni-loopback | 2 +- apparmor.d/groups/virt/cni-portmap | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 9bf87266..82e4792a 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -6,7 +6,7 @@ include profile bandwidth @{exec_path} { include - {exec_path} rm, + @{exec_path} mr, network inet, network netlink raw, diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index d746669a..2e542dd0 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -6,7 +6,7 @@ include profile loopback @{exec_path} { include - {exec_path} rm, + @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index ce24f2b4..efd2ae0d 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -6,7 +6,7 @@ include profile portmap @{exec_path} { include - {exec_path} rm, + @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, From 9fb43325a3f0ab4b4c572c3bc0e8a64b8e42266a Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 12:49:33 +0200 Subject: [PATCH 08/17] Add headers to new policies --- apparmor.d/groups/virt/calico | 6 +++++- apparmor.d/groups/virt/cni-bandwidth | 4 ++++ apparmor.d/groups/virt/cni-loopback | 4 ++++ apparmor.d/groups/virt/cni-portmap | 4 ++++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index 313959fb..b68944be 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include @@ -9,7 +13,7 @@ profile calico @{exec_path} flags=(complain) { network inet, network inet6, - @{exec_path} rm, + @{exec_path} mr, @{exec_path}-ipam rix, /etc/cni/net.d/{,**} r, diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 82e4792a..1de4dbf4 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index 2e542dd0..a6ff7d6f 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index efd2ae0d..02e24956 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include From 8a13d71edb7a80f7faa79270e7933044f4029555 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 13:36:44 +0200 Subject: [PATCH 09/17] Update CNI path, set containerd to attach_disconnected, cleanups. --- apparmor.d/groups/virt/calico | 4 ++-- apparmor.d/groups/virt/cni-bandwidth | 2 +- apparmor.d/groups/virt/cni-loopback | 2 +- apparmor.d/groups/virt/cni-portmap | 2 +- apparmor.d/groups/virt/containerd | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico index b68944be..ad021b21 100644 --- a/apparmor.d/groups/virt/calico +++ b/apparmor.d/groups/virt/calico @@ -6,8 +6,8 @@ abi , include -@{exec_path} = /{opt/,}{cni/,}bin/calico -profile calico @{exec_path} flags=(complain) { +@{exec_path} = /opt/cni/bin/calico +profile calico @{exec_path} { include network inet, diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 1de4dbf4..c477581d 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{opt/,}{cni/,}bin/bandwidth +@{exec_path} = /opt/cni/bin/bandwidth profile bandwidth @{exec_path} { include diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index a6ff7d6f..e1389f93 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{opt/,}{cni/,}bin/loopback +@{exec_path} = /opt/cni/bin/loopback profile loopback @{exec_path} { include diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 02e24956..8d768844 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{opt/,}{cni/,}bin/portmap +@{exec_path} = /opt/cni/bin/portmap profile portmap @{exec_path} { include diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index c44b9300..212846e7 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/containerd -profile containerd @{exec_path} { +profile containerd @{exec_path} flags=(attach_disconnected) { include include include From 6e1e7dc32bd5226de54811fc72064efccf846992 Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 10 Jul 2022 12:38:11 +0000 Subject: [PATCH 10/17] Apply suggestions from code review --- apparmor.d/groups/virt/containerd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 212846e7..0a7c31ea 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -43,7 +43,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, /var/lib/cni/results/cni-loopback-@{uuid}-lo l, - @{PROC}/@{pid}/task/[0-9]*/ns/net rw, + @{PROC}/@{pid}/task/@{tid}/ns/net rw, /var/lib/containerd/{,**} rwk, /var/lib/docker/containerd/{,**} rwk, @@ -63,7 +63,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, /tmp/cri-containerd.apparmor.d[0-9]* rwl, - /usr/sbin/apparmor_parser Px, + /{usr/,}{s,}bin/apparmor_parser rPx, include if exists } From 3810c1668e97de337052da0ef4b4b08ae73e5642 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 5 Jul 2022 20:45:01 +0200 Subject: [PATCH 11/17] Basic ZFS support --- apparmor.d/abstractions/disks-read | 5 +++++ apparmor.d/groups/virt/containerd | 35 +++++++++++++++++++++++++++++- apparmor.d/profiles-s-z/zfs | 17 +++++++++++++++ apparmor.d/profiles-s-z/zpool | 21 ++++++++++++++++++ 4 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/zfs create mode 100644 apparmor.d/profiles-s-z/zpool diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 97bae8b7..5e8549ab 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -9,8 +9,10 @@ /dev/ r, # Regular disk/partition devices + /dev/block/ r, /dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]*[0-9]* rk, + /dev/disk/*/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, @@ -35,11 +37,14 @@ # LUKS/LVM (device-mapper) devices /dev/dm-[0-9]* rk, + /dev/mapper/* r, @{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/** r, # ZFS devices /dev/zd[0-9]* rk, + /dev/zvol/ r, + /dev/zvol/*/ r, @{sys}/devices/virtual/block/zd[0-9]*/ r, @{sys}/devices/virtual/block/zd[0-9]*/** r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index e279b484..b7729a7a 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -9,10 +9,13 @@ include @{exec_path} = /{usr/,}bin/containerd profile containerd @{exec_path} { include + include + include capability dac_read_search, capability net_admin, capability sys_admin, + capability chown, signal (receive) set=term peer=dockerd, @@ -31,6 +34,7 @@ profile containerd @{exec_path} { @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, @{run}/systemd/notify w, @@ -40,5 +44,34 @@ profile containerd @{exec_path} { owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, + # Extracting container images + /usr/{local/,}bin/unpigz PUx, + + # zfs snapshotter + /{usr/,}{local/,}{s,}bin/zfs Px, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/001/ r, + deny /dev/bus/usb/002/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/0/ r, + deny /dev/cpu/1/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs new file mode 100644 index 00000000..dfe846c0 --- /dev/null +++ b/apparmor.d/profiles-s-z/zfs @@ -0,0 +1,17 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +profile zfs @{exec_path} flags=(complain) { + include + + capability sys_admin, + + @{exec_path} r, + + /dev/zfs rw, + @{PROC}/@{pids}/mounts r, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool new file mode 100644 index 00000000..67b73d7e --- /dev/null +++ b/apparmor.d/profiles-s-z/zpool @@ -0,0 +1,21 @@ +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +profile zpool @{exec_path} flags=(complain) { + include + include + + capability sys_admin, + + @{exec_path} r, + + /dev/zfs rw, + @{PROC}/@{pids}/mounts r, + + /dev/pts/[0-9]* rw, + /etc/hostid r, + + include if exists +} From 99c311e699000299290a81b503202b52e1c02de3 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Thu, 7 Jul 2022 14:48:32 +0200 Subject: [PATCH 12/17] Executable updates for zpool --- apparmor.d/profiles-s-z/zpool | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 67b73d7e..b4d23646 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -10,12 +10,15 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} r, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, /dev/zfs rw, @{PROC}/@{pids}/mounts r, /dev/pts/[0-9]* rw, /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, include if exists } From cc5d1a0e07e42e67287257c425b97087784af57c Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 14:43:19 +0200 Subject: [PATCH 13/17] Initramfs generation updates --- apparmor.d/profiles-m-r/mount-zfs | 4 ++++ apparmor.d/profiles-s-z/zpool | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index c79af21c..0f9cfb7b 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -24,12 +24,16 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, mount fstype=zfs -> /*/, + mount fstype=zfs -> /tmp/zfsmnt.*/ + mount fstype=zfs -> /tmp/zfsmnt.*/*/ umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount /, umount /*/, + umount fstype=zfs -> /tmp/zfsmnt.*/ + mount fstype=zfs -> /tmp/zfsmnt.*/*/ @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index b4d23646..5b0efb02 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -20,5 +20,9 @@ profile zpool @{exec_path} flags=(complain) { /etc/hostid r, @{PROC}/sys/kernel/spl/hostid r, + /run/blkid/blkid.tab wr, + /run/blkid/blkid.tab.old l, + /run/blkid/blkid.tab-* wrl, + include if exists } From da08ef6aa6100c3e1d7a1dd3e2e5ae428f8e6cf7 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 14:44:53 +0200 Subject: [PATCH 14/17] Typo --- apparmor.d/profiles-m-r/mount-zfs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 0f9cfb7b..07490bb5 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -24,16 +24,16 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, mount fstype=zfs -> /*/, - mount fstype=zfs -> /tmp/zfsmnt.*/ - mount fstype=zfs -> /tmp/zfsmnt.*/*/ + mount fstype=zfs -> /tmp/zfsmnt.*/, + mount fstype=zfs -> /tmp/zfsmnt.*/*/, umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount /, umount /*/, - umount fstype=zfs -> /tmp/zfsmnt.*/ - mount fstype=zfs -> /tmp/zfsmnt.*/*/ + umount /tmp/zfsmnt.*/, + umount /tmp/zfsmnt.*/*/, @{PROC}/@{pids}/mounts r, From c9b4423e45387012d2ceaa606b44ff4f5b3d7ea3 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 15:24:10 +0200 Subject: [PATCH 15/17] Allow mount-zfs access to pts --- apparmor.d/profiles-m-r/mount-zfs | 2 ++ apparmor.d/profiles-s-z/zpool | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 07490bb5..cfd13ccf 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -15,6 +15,8 @@ profile mount-zfs @{exec_path} flags=(complain) { @{exec_path} mr, + /dev/pts/[0-9]* rw, + @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 5b0efb02..bbd73e3d 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -9,7 +9,7 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, - @{exec_path} r, + @{exec_path} rm, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, From 59f8b893ffedc6292c738b3e6dce24aa06b73399 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 9 Jul 2022 20:33:47 +0200 Subject: [PATCH 16/17] Cleanup profiles according to standards --- apparmor.d/groups/virt/containerd | 74 +++++++++++++++---------------- apparmor.d/profiles-s-z/zfs | 3 +- apparmor.d/profiles-s-z/zpool | 19 ++++---- 3 files changed, 47 insertions(+), 49 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index b7729a7a..f73d1b37 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -17,61 +17,57 @@ profile containerd @{exec_path} { capability sys_admin, capability chown, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + + umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + signal (receive) set=term peer=dockerd, - @{exec_path} mr, - + @{exec_path} rm, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /var/lib/containerd/{,**} rwk, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/docker/containerd/{,**} rwk, - @{run}/containerd/{,**} rwk, - @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, - mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, - @{run}/systemd/notify w, + @{run}/systemd/notify w, + @{run}/containerd/{,**} rwk, + @{run}/docker/containerd/{,**} rwk, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, - # Extracting container images - /usr/{local/,}bin/unpigz PUx, - - # zfs snapshotter - /{usr/,}{local/,}{s,}bin/zfs Px, - mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, - umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, - /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, - deny /dev/bsg/ r, - deny /dev/bus/ r, - deny /dev/bus/usb/ r, - deny /dev/bus/usb/001/ r, - deny /dev/bus/usb/002/ r, - deny /dev/char/ r, - deny /dev/cpu/ r, - deny /dev/cpu/0/ r, - deny /dev/cpu/1/ r, - deny /dev/dma_heap/ r, - deny /dev/dri/ r, - deny /dev/dri/by-path/ r, - deny /dev/hugepages/ r, - deny /dev/input/ r, - deny /dev/input/by-id/ r, - deny /dev/input/by-path/ r, - deny /dev/net/ r, - deny /dev/snd/ r, - deny /dev/snd/by-path/ r, - deny /dev/vfio/ r, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/[0-9]*/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/[0-9]*/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index dfe846c0..d3404b00 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -10,8 +10,9 @@ profile zfs @{exec_path} flags=(complain) { @{exec_path} r, - /dev/zfs rw, @{PROC}/@{pids}/mounts r, + /dev/zfs rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index bbd73e3d..dfa2f83e 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -11,18 +11,19 @@ profile zpool @{exec_path} flags=(complain) { @{exec_path} rm, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, - /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, - - /dev/zfs rw, + /{usr/,}bin/{,ba,da}sh rix, + + /etc/hostid r, + + @{run}/blkid/blkid.tab rw, + @{run}/blkid/blkid.tab.old l, + @{run}/blkid/blkid.tab-* rwl, + + @{PROC}/sys/kernel/spl/hostid r, @{PROC}/@{pids}/mounts r, + /dev/zfs rw, /dev/pts/[0-9]* rw, - /etc/hostid r, - @{PROC}/sys/kernel/spl/hostid r, - - /run/blkid/blkid.tab wr, - /run/blkid/blkid.tab.old l, - /run/blkid/blkid.tab-* wrl, include if exists } From d10f2c073c7d09d9d3ab55ae45b32fe6f16a90bf Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 13:01:31 +0200 Subject: [PATCH 17/17] Alphabetical sorting, group common options. --- apparmor.d/groups/virt/containerd | 8 ++++---- apparmor.d/profiles-s-z/zpool | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f73d1b37..9b1c578f 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -12,10 +12,10 @@ profile containerd @{exec_path} { include include + capability chown, capability dac_read_search, capability net_admin, capability sys_admin, - capability chown, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, @@ -24,11 +24,11 @@ profile containerd @{exec_path} { signal (receive) set=term peer=dockerd, - @{exec_path} rm, - /{usr/,}bin/unpigz rPUx, - /{usr/,}{local/,}{s,}bin/zfs rPx, + @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, /etc/cni/ rw, /etc/cni/{,**} r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index dfa2f83e..ccd94c56 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -10,20 +10,20 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} rm, - /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab-* rwl, - @{PROC}/sys/kernel/spl/hostid r, @{PROC}/@{pids}/mounts r, - /dev/zfs rw, /dev/pts/[0-9]* rw, + /dev/zfs rw, include if exists }