diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index b7729a7a..f73d1b37 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -17,61 +17,57 @@ profile containerd @{exec_path} { capability sys_admin, capability chown, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + + umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, + signal (receive) set=term peer=dockerd, - @{exec_path} mr, - + @{exec_path} rm, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /var/lib/containerd/{,**} rwk, + /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/docker/containerd/{,**} rwk, - @{run}/containerd/{,**} rwk, - @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, - mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, - @{run}/systemd/notify w, + @{run}/systemd/notify w, + @{run}/containerd/{,**} rwk, + @{run}/docker/containerd/{,**} rwk, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/net/core/somaxconn r, - # Extracting container images - /usr/{local/,}bin/unpigz PUx, - - # zfs snapshotter - /{usr/,}{local/,}{s,}bin/zfs Px, - mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, - umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, - /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, - deny /dev/bsg/ r, - deny /dev/bus/ r, - deny /dev/bus/usb/ r, - deny /dev/bus/usb/001/ r, - deny /dev/bus/usb/002/ r, - deny /dev/char/ r, - deny /dev/cpu/ r, - deny /dev/cpu/0/ r, - deny /dev/cpu/1/ r, - deny /dev/dma_heap/ r, - deny /dev/dri/ r, - deny /dev/dri/by-path/ r, - deny /dev/hugepages/ r, - deny /dev/input/ r, - deny /dev/input/by-id/ r, - deny /dev/input/by-path/ r, - deny /dev/net/ r, - deny /dev/snd/ r, - deny /dev/snd/by-path/ r, - deny /dev/vfio/ r, + deny /dev/bsg/ r, + deny /dev/bus/ r, + deny /dev/bus/usb/ r, + deny /dev/bus/usb/[0-9]*/ r, + deny /dev/char/ r, + deny /dev/cpu/ r, + deny /dev/cpu/[0-9]*/ r, + deny /dev/dma_heap/ r, + deny /dev/dri/ r, + deny /dev/dri/by-path/ r, + deny /dev/hugepages/ r, + deny /dev/input/ r, + deny /dev/input/by-id/ r, + deny /dev/input/by-path/ r, + deny /dev/net/ r, + deny /dev/snd/ r, + deny /dev/snd/by-path/ r, + deny /dev/vfio/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index dfe846c0..d3404b00 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -10,8 +10,9 @@ profile zfs @{exec_path} flags=(complain) { @{exec_path} r, - /dev/zfs rw, @{PROC}/@{pids}/mounts r, + /dev/zfs rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index bbd73e3d..dfa2f83e 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -11,18 +11,19 @@ profile zpool @{exec_path} flags=(complain) { @{exec_path} rm, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, - /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix, - - /dev/zfs rw, + /{usr/,}bin/{,ba,da}sh rix, + + /etc/hostid r, + + @{run}/blkid/blkid.tab rw, + @{run}/blkid/blkid.tab.old l, + @{run}/blkid/blkid.tab-* rwl, + + @{PROC}/sys/kernel/spl/hostid r, @{PROC}/@{pids}/mounts r, + /dev/zfs rw, /dev/pts/[0-9]* rw, - /etc/hostid r, - @{PROC}/sys/kernel/spl/hostid r, - - /run/blkid/blkid.tab wr, - /run/blkid/blkid.tab.old l, - /run/blkid/blkid.tab-* wrl, include if exists }