Add and update CNI profiles

2025-01-29 22:35:15 +01:00 · 2022-08-01 18:25:20 +02:00 · 2022-08-01 18:25:20 +02:00 · 6af5c76fb8
commit 6af5c76fb8
parent b1112e35a7
5 changed files with 40 additions and 4 deletions
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /opt/cni/bin/calico
+@{exec_path} = /{usr/,}lib/cni/calico /opt/cni/bin/calico
 profile cni-calico @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>

--- a/apparmor.d/groups/virt/cni-flannel
+++ b/apparmor.d/groups/virt/cni-flannel
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cni/flannel /opt/cni/bin/flannel
+profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/cni-flannel>
+}
--- a/apparmor.d/groups/virt/cni-host-local
+++ b/apparmor.d/groups/virt/cni-host-local
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cni/host-local /opt/cni/bin/host-local
+profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/cni-host-local>
+}
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
 profile cni-xtables-nft {
    include <abstractions/base>
+    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    capability net_admin,
@ -30,6 +31,4 @@ profile cni-xtables-nft {
    /etc/nftables.conf rw,

    @{PROC}/@{pids}/net/ip_tables_names r,
-
-    /dev/pts/[0-9]* rw,
 }
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -36,6 +36,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {

  umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
  umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+  umount /tmp/ctd-volume[0-9]*/,
  umount @{run}/netns/cni-@{uuid},

  signal (receive) set=term peer={dockerd,k3s},
@ -84,7 +85,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  owner /var/tmp/** rwkl,
  owner /tmp/** rwkl,
        /tmp/cri-containerd.apparmor.d[0-9]* rwl,
-        /tmp/ctd-volume[0-9]*/ rw,
+        /tmp/ctd-volume[0-9]*/{data,} rw,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/profiles r,