Cleanup profiles according to standards

apparmor.d/groups/virt/containerd

@@ -17,10 +17,16 @@ profile containerd @{exec_path} {
   capability sys_admin,
   capability chown,
 
+  mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
+  mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+
+  umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+
   signal (receive) set=term peer=dockerd,
 
-  @{exec_path} mr,
+  @{exec_path}                        rm,
-
+  /{usr/,}bin/unpigz                  rPUx,
+  /{usr/,}{local/,}{s,}bin/zfs        rPx,
   /{usr/,}bin/containerd-shim-runc-v2 rPUx,
   /{usr/,}bin/kmod                    rPx,
 
@@ -30,13 +36,13 @@ profile containerd @{exec_path} {
   /etc/containerd/*.toml r,
 
   /var/lib/containerd/{,**} rwk,
+  /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l,
   /var/lib/docker/containerd/{,**} rwk,
-  @{run}/containerd/{,**} rwk,
-  @{run}/docker/containerd/{,**} rwk,
   /opt/containerd/{,**} rw,
-  mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
 
   @{run}/systemd/notify          w,
+  @{run}/containerd/{,**}        rwk,
+  @{run}/docker/containerd/{,**} rwk,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
@@ -44,23 +50,13 @@ profile containerd @{exec_path} {
   owner @{PROC}/@{pids}/mountinfo      r,
         @{PROC}/sys/net/core/somaxconn r,
 
-  # Extracting container images
-  /usr/{local/,}bin/unpigz PUx,
-  
-  # zfs snapshotter
-  /{usr/,}{local/,}{s,}bin/zfs Px,
-  mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
-  umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
-  /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l,
   deny /dev/bsg/            r,
   deny /dev/bus/            r,
   deny /dev/bus/usb/        r,
-  deny /dev/bus/usb/001/ r,
+  deny /dev/bus/usb/[0-9]*/ r,
-  deny /dev/bus/usb/002/ r,
   deny /dev/char/           r,
   deny /dev/cpu/            r,
-  deny /dev/cpu/0/ r,
+  deny /dev/cpu/[0-9]*/     r,
-  deny /dev/cpu/1/ r,
   deny /dev/dma_heap/       r,
   deny /dev/dri/            r,
   deny /dev/dri/by-path/    r,

apparmor.d/profiles-s-z/zfs

@@ -10,8 +10,9 @@ profile zfs @{exec_path} flags=(complain) {
   
   @{exec_path} r,
   
-  /dev/zfs rw,
   @{PROC}/@{pids}/mounts r,
 
+  /dev/zfs rw,
+
   include if exists <local/zfs>
 }

apparmor.d/profiles-s-z/zpool

@@ -11,18 +11,19 @@ profile zpool @{exec_path} flags=(complain) {
 
   @{exec_path} rm,
   /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
-  /{usr/,}{local/,}bin/{ba,da,k,z,}sh rix,
+  /{usr/,}bin/{,ba,da}sh rix,
 
-  /dev/zfs rw,
+  /etc/hostid r,
+
+  @{run}/blkid/blkid.tab rw,
+  @{run}/blkid/blkid.tab.old l,
+  @{run}/blkid/blkid.tab-* rwl,
+
+  @{PROC}/sys/kernel/spl/hostid r,
   @{PROC}/@{pids}/mounts r,
 
+  /dev/zfs rw,
   /dev/pts/[0-9]* rw,
-  /etc/hostid r,
-  @{PROC}/sys/kernel/spl/hostid r,
-
-  /run/blkid/blkid.tab wr,
-  /run/blkid/blkid.tab.old l,
-  /run/blkid/blkid.tab-* wrl,
 
   include if exists <local/zfs>
 }