mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
Cleanup profiles according to standards
This commit is contained in:
parent
c9b4423e45
commit
59f8b893ff
@ -17,61 +17,57 @@ profile containerd @{exec_path} {
|
|||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
capability chown,
|
capability chown,
|
||||||
|
|
||||||
|
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
|
||||||
|
mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||||
|
|
||||||
|
umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
||||||
|
|
||||||
signal (receive) set=term peer=dockerd,
|
signal (receive) set=term peer=dockerd,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} rm,
|
||||||
|
/{usr/,}bin/unpigz rPUx,
|
||||||
|
/{usr/,}{local/,}{s,}bin/zfs rPx,
|
||||||
/{usr/,}bin/containerd-shim-runc-v2 rPUx,
|
/{usr/,}bin/containerd-shim-runc-v2 rPUx,
|
||||||
/{usr/,}bin/kmod rPx,
|
/{usr/,}bin/kmod rPx,
|
||||||
|
|
||||||
/etc/cni/ rw,
|
/etc/cni/ rw,
|
||||||
/etc/cni/{,**} r,
|
/etc/cni/{,**} r,
|
||||||
/etc/cni/net.d/ rw,
|
/etc/cni/net.d/ rw,
|
||||||
/etc/containerd/*.toml r,
|
/etc/containerd/*.toml r,
|
||||||
|
|
||||||
/var/lib/containerd/{,**} rwk,
|
/var/lib/containerd/{,**} rwk,
|
||||||
|
/var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l,
|
||||||
/var/lib/docker/containerd/{,**} rwk,
|
/var/lib/docker/containerd/{,**} rwk,
|
||||||
@{run}/containerd/{,**} rwk,
|
|
||||||
@{run}/docker/containerd/{,**} rwk,
|
|
||||||
/opt/containerd/{,**} rw,
|
/opt/containerd/{,**} rw,
|
||||||
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
|
|
||||||
|
|
||||||
@{run}/systemd/notify w,
|
@{run}/systemd/notify w,
|
||||||
|
@{run}/containerd/{,**} rwk,
|
||||||
|
@{run}/docker/containerd/{,**} rwk,
|
||||||
|
|
||||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
|
|
||||||
owner @{PROC}/@{pids}/uid_map r,
|
owner @{PROC}/@{pids}/uid_map r,
|
||||||
owner @{PROC}/@{pids}/mountinfo r,
|
owner @{PROC}/@{pids}/mountinfo r,
|
||||||
@{PROC}/sys/net/core/somaxconn r,
|
@{PROC}/sys/net/core/somaxconn r,
|
||||||
|
|
||||||
# Extracting container images
|
deny /dev/bsg/ r,
|
||||||
/usr/{local/,}bin/unpigz PUx,
|
deny /dev/bus/ r,
|
||||||
|
deny /dev/bus/usb/ r,
|
||||||
# zfs snapshotter
|
deny /dev/bus/usb/[0-9]*/ r,
|
||||||
/{usr/,}{local/,}{s,}bin/zfs Px,
|
deny /dev/char/ r,
|
||||||
mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
deny /dev/cpu/ r,
|
||||||
umount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
|
deny /dev/cpu/[0-9]*/ r,
|
||||||
/var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l,
|
deny /dev/dma_heap/ r,
|
||||||
deny /dev/bsg/ r,
|
deny /dev/dri/ r,
|
||||||
deny /dev/bus/ r,
|
deny /dev/dri/by-path/ r,
|
||||||
deny /dev/bus/usb/ r,
|
deny /dev/hugepages/ r,
|
||||||
deny /dev/bus/usb/001/ r,
|
deny /dev/input/ r,
|
||||||
deny /dev/bus/usb/002/ r,
|
deny /dev/input/by-id/ r,
|
||||||
deny /dev/char/ r,
|
deny /dev/input/by-path/ r,
|
||||||
deny /dev/cpu/ r,
|
deny /dev/net/ r,
|
||||||
deny /dev/cpu/0/ r,
|
deny /dev/snd/ r,
|
||||||
deny /dev/cpu/1/ r,
|
deny /dev/snd/by-path/ r,
|
||||||
deny /dev/dma_heap/ r,
|
deny /dev/vfio/ r,
|
||||||
deny /dev/dri/ r,
|
|
||||||
deny /dev/dri/by-path/ r,
|
|
||||||
deny /dev/hugepages/ r,
|
|
||||||
deny /dev/input/ r,
|
|
||||||
deny /dev/input/by-id/ r,
|
|
||||||
deny /dev/input/by-path/ r,
|
|
||||||
deny /dev/net/ r,
|
|
||||||
deny /dev/snd/ r,
|
|
||||||
deny /dev/snd/by-path/ r,
|
|
||||||
deny /dev/vfio/ r,
|
|
||||||
|
|
||||||
include if exists <local/containerd>
|
include if exists <local/containerd>
|
||||||
}
|
}
|
||||||
|
@ -10,8 +10,9 @@ profile zfs @{exec_path} flags=(complain) {
|
|||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
|
|
||||||
/dev/zfs rw,
|
|
||||||
@{PROC}/@{pids}/mounts r,
|
@{PROC}/@{pids}/mounts r,
|
||||||
|
|
||||||
|
/dev/zfs rw,
|
||||||
|
|
||||||
include if exists <local/zfs>
|
include if exists <local/zfs>
|
||||||
}
|
}
|
||||||
|
@ -11,18 +11,19 @@ profile zpool @{exec_path} flags=(complain) {
|
|||||||
|
|
||||||
@{exec_path} rm,
|
@{exec_path} rm,
|
||||||
/{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
|
/{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
|
||||||
/{usr/,}{local/,}bin/{ba,da,k,z,}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
|
|
||||||
/dev/zfs rw,
|
/etc/hostid r,
|
||||||
|
|
||||||
|
@{run}/blkid/blkid.tab rw,
|
||||||
|
@{run}/blkid/blkid.tab.old l,
|
||||||
|
@{run}/blkid/blkid.tab-* rwl,
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/spl/hostid r,
|
||||||
@{PROC}/@{pids}/mounts r,
|
@{PROC}/@{pids}/mounts r,
|
||||||
|
|
||||||
|
/dev/zfs rw,
|
||||||
/dev/pts/[0-9]* rw,
|
/dev/pts/[0-9]* rw,
|
||||||
/etc/hostid r,
|
|
||||||
@{PROC}/sys/kernel/spl/hostid r,
|
|
||||||
|
|
||||||
/run/blkid/blkid.tab wr,
|
|
||||||
/run/blkid/blkid.tab.old l,
|
|
||||||
/run/blkid/blkid.tab-* wrl,
|
|
||||||
|
|
||||||
include if exists <local/zfs>
|
include if exists <local/zfs>
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user