mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'Jeroen0494-feat/cni'

Browse Source 
* Jeroen0494-feat/cni:
  Alphabetical sorting, group common options.
  Cleanup profiles according to standards
  Allow mount-zfs access to pts
  Typo
  Initramfs generation updates
  Executable updates for zpool
  Basic ZFS support
  Apply suggestions from code review
  Update CNI path, set containerd to attach_disconnected, cleanups.
  Add headers to new policies
  Syntax fixes
  Allow containerd to access SSL certs for pulling container images.
  Calico profile cleanup.
  Cleanup profiles according to standards part 1/2
  Update build instructions for Ubuntu
  Add AppArmor support to containerd
  Add CNI for containerd
This commit is contained in:
Alexandre Pujol 2022-07-10 13:42:30 +01:00
commit 4f7cf8d90e
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
10 changed files with 216 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -48,6 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
* An `apparmor` based linux distribution. * An `apparmor` based linux distribution.
* Base profiles and abstractions shipped with AppArmor are supposed to be * Base profiles and abstractions shipped with AppArmor are supposed to be
installed. installed.
* Go
* rsync
**Archlinux** **Archlinux**
@ -65,6 +67,8 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
Build using standard Debian package build tools: Build using standard Debian package build tools:
```sh ```sh
sudo apt install debhelper ubuntu-dev-tools config-package-dev golang-go apparmor-profiles rsync
dpkg-buildpackage -b -d --no-sign dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*_all.deb sudo dpkg -i ../apparmor.d_*_all.deb
``` ```

5
apparmor.d/abstractions/disks-read
View File

@ -9,8 +9,10 @@
/dev/ r, /dev/ r,
# Regular disk/partition devices # Regular disk/partition devices
/dev/block/ r,
/dev/{s,v}d[a-z]* rk, /dev/{s,v}d[a-z]* rk,
/dev/{s,v}d[a-z]*[0-9]* rk, /dev/{s,v}d[a-z]*[0-9]* rk,
/dev/disk/*/ r,
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
@{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r,
@{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
@ -35,11 +37,14 @@
# LUKS/LVM (device-mapper) devices # LUKS/LVM (device-mapper) devices
/dev/dm-[0-9]* rk, /dev/dm-[0-9]* rk,
/dev/mapper/* r,
@{sys}/devices/virtual/block/dm-[0-9]*/ r, @{sys}/devices/virtual/block/dm-[0-9]*/ r,
@{sys}/devices/virtual/block/dm-[0-9]*/** r, @{sys}/devices/virtual/block/dm-[0-9]*/** r,
# ZFS devices # ZFS devices
/dev/zd[0-9]* rk, /dev/zd[0-9]* rk,
/dev/zvol/ r,
/dev/zvol/*/ r,
@{sys}/devices/virtual/block/zd[0-9]*/ r, @{sys}/devices/virtual/block/zd[0-9]*/ r,
@{sys}/devices/virtual/block/zd[0-9]*/** r, @{sys}/devices/virtual/block/zd[0-9]*/** r,

30
apparmor.d/groups/virt/calico Normal file
View File

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /opt/cni/bin/calico
profile calico @{exec_path} {
include <abstractions/base>
network inet,
network inet6,
@{exec_path} mr,
@{exec_path}-ipam rix,
/etc/cni/net.d/{,**} r,
/var/lib/calico/{,**} r,
/var/log/calico/cni/ r,
/var/log/calico/cni/cni.log rw,
@{run}/calico/ipam.lock rwk,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
include if exists <local/calico>
}

21
apparmor.d/groups/virt/cni-bandwidth Normal file
View File

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /opt/cni/bin/bandwidth
profile bandwidth @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
network inet,
network netlink raw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
include if exists <local/bandwidth>
}

18
apparmor.d/groups/virt/cni-loopback Normal file
View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /opt/cni/bin/loopback
profile loopback @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
include if exists <local/loopback>
}

18
apparmor.d/groups/virt/cni-portmap Normal file
View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /opt/cni/bin/portmap
profile portmap @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
include if exists <local/portmap>
}

63
apparmor.d/groups/virt/containerd
View File

@ -7,32 +7,62 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/containerd @{exec_path} = /{usr/,}bin/containerd
profile containerd @{exec_path} { profile containerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/ssl_certs>
include <abstractions/nameservice-strict>
include <abstractions/disks-read>
include <abstractions/devices-usb>
capability chown,
capability dac_read_search, capability dac_read_search,
capability net_admin, capability net_admin,
capability sys_admin, capability sys_admin,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
signal (receive) set=term peer=dockerd, signal (receive) set=term peer=dockerd,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/containerd-shim-runc-v2 rPUx,
/{usr/,}bin/kmod rPx, /{usr/,}bin/kmod rPx,
/{usr/,}bin/unpigz rPUx,
/{usr/,}{local/,}{s,}bin/zfs rPx,
/etc/cni/ rw, /etc/cni/ rw,
/etc/cni/{,**} r, /etc/cni/{,**} r,
/etc/cni/net.d/ rw, /etc/cni/net.d/ rw,
/etc/containerd/*.toml r, /etc/containerd/*.toml r,
/opt/cni/bin/loopback rPx,
/opt/cni/bin/portmap rPx,
/opt/cni/bin/bandwidth rPx,
/opt/cni/bin/calico rPx,
/var/log/pods/**/[0-9]*.log w,
@{run}/calico/ w,
@{run}/netns/ w,
@{run}/netns/cni-@{uuid} rw,
/var/lib/cni/results/cni-loopback-@{uuid}-lo l,
@{PROC}/@{pid}/task/@{tid}/ns/net rw,
/var/lib/containerd/{,**} rwk, /var/lib/containerd/{,**} rwk,
/var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l,
/var/lib/docker/containerd/{,**} rwk, /var/lib/docker/containerd/{,**} rwk,
@{run}/containerd/{,**} rwk,
@{run}/docker/containerd/{,**} rwk,
/opt/containerd/{,**} rw, /opt/containerd/{,**} rw,
@{run}/systemd/notify w, @{run}/systemd/notify w,
@{run}/containerd/{,**} rwk,
@{run}/docker/containerd/{,**} rwk,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@ -40,5 +70,30 @@ profile containerd @{exec_path} {
owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/mountinfo r,
@{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/core/somaxconn r,
# AppArmor within containers
@{sys}/kernel/security/apparmor/profiles r,
@{sys}/module/apparmor/parameters/enabled r,
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
/{usr/,}{s,}bin/apparmor_parser rPx,
deny /dev/bsg/ r,
deny /dev/bus/ r,
deny /dev/bus/usb/ r,
deny /dev/bus/usb/[0-9]*/ r,
deny /dev/char/ r,
deny /dev/cpu/ r,
deny /dev/cpu/[0-9]*/ r,
deny /dev/dma_heap/ r,
deny /dev/dri/ r,
deny /dev/dri/by-path/ r,
deny /dev/hugepages/ r,
deny /dev/input/ r,
deny /dev/input/by-id/ r,
deny /dev/input/by-path/ r,
deny /dev/net/ r,
deny /dev/snd/ r,
deny /dev/snd/by-path/ r,
deny /dev/vfio/ r,
include if exists <local/containerd> include if exists <local/containerd>
} }

6
apparmor.d/profiles-m-r/mount-zfs
View File

@ -15,6 +15,8 @@ profile mount-zfs @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/dev/pts/[0-9]* rw,
@{MOUNTDIRS}/ r, @{MOUNTDIRS}/ r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
@{MOUNTS}/*/ r, @{MOUNTS}/*/ r,
@ -24,12 +26,16 @@ profile mount-zfs @{exec_path} flags=(complain) {
mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> @{MOUNTS}/*/,
mount fstype=zfs -> /, mount fstype=zfs -> /,
mount fstype=zfs -> /*/, mount fstype=zfs -> /*/,
mount fstype=zfs -> /tmp/zfsmnt.*/,
mount fstype=zfs -> /tmp/zfsmnt.*/*/,
umount @{MOUNTDIRS}/, umount @{MOUNTDIRS}/,
umount @{MOUNTS}/, umount @{MOUNTS}/,
umount @{MOUNTS}/*/, umount @{MOUNTS}/*/,
umount /, umount /,
umount /*/, umount /*/,
umount /tmp/zfsmnt.*/,
umount /tmp/zfsmnt.*/*/,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,

18
apparmor.d/profiles-s-z/zfs Normal file
View File

@ -0,0 +1,18 @@
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs
profile zfs @{exec_path} flags=(complain) {
include <abstractions/base>
capability sys_admin,
@{exec_path} r,
@{PROC}/@{pids}/mounts r,
/dev/zfs rw,
include if exists <local/zfs>
}

29
apparmor.d/profiles-s-z/zpool Normal file
View File

@ -0,0 +1,29 @@
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool
profile zpool @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
/etc/hostid r,
@{PROC}/sys/kernel/spl/hostid r,
@{run}/blkid/blkid.tab rw,
@{run}/blkid/blkid.tab.old l,
@{run}/blkid/blkid.tab-* rwl,
@{PROC}/@{pids}/mounts r,
/dev/pts/[0-9]* rw,
/dev/zfs rw,
include if exists <local/zfs>
}