diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 882ba9e0..a07de445 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -32,6 +32,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=dockerd, @{exec_path} mr, + /{usr/,}{s,}bin/apparmor_parser rPx, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, /{usr/,}bin/unpigz rPUx, @@ -47,53 +48,50 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /opt/cni/bin/bandwidth rPx, /opt/cni/bin/calico rPx, - /var/log/pods/**/[0-9]*.log w, - @{run}/calico/ w, + /opt/containerd/{,**} rw, - @{run}/netns/ w, - @{run}/netns/cni-@{uuid} rw, /var/lib/cni/results/cni-loopback-@{uuid}-lo l, - @{PROC}/@{pid}/task/@{tid}/ns/net rw, - /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/docker/containerd/{,**} rwk, - /opt/containerd/{,**} rw, + /var/log/pods/**/[0-9]*.log w, - @{run}/systemd/notify w, + @{run}/calico/ w, @{run}/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk, + @{run}/netns/ w, + @{run}/netns/cni-@{uuid} rw, + @{run}/systemd/notify w, + + /tmp/cri-containerd.apparmor.d[0-9]* rwl, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - owner @{PROC}/@{pids}/uid_map r, - owner @{PROC}/@{pids}/mountinfo r, - @{PROC}/sys/net/core/somaxconn r, - - # AppArmor within containers @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, - /tmp/cri-containerd.apparmor.d[0-9]* rwl, - /{usr/,}{s,}bin/apparmor_parser rPx, - deny /dev/bsg/ r, - deny /dev/bus/ r, - deny /dev/bus/usb/ r, - deny /dev/bus/usb/[0-9]*/ r, - deny /dev/char/ r, - deny /dev/cpu/ r, - deny /dev/cpu/[0-9]*/ r, - deny /dev/dma_heap/ r, - deny /dev/dri/ r, - deny /dev/dri/by-path/ r, - deny /dev/hugepages/ r, - deny /dev/input/ r, - deny /dev/input/by-id/ r, - deny /dev/input/by-path/ r, - deny /dev/net/ r, - deny /dev/snd/ r, - deny /dev/snd/by-path/ r, - deny /dev/vfio/ r, + @{PROC}/@{pid}/task/@{tid}/ns/net rw, + owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/sys/net/core/somaxconn r, + + deny /dev/bsg/ rwkl, + deny /dev/bus/ rwkl, + deny /dev/bus/usb/ rwkl, + deny /dev/bus/usb/[0-9]*/ rwkl, + deny /dev/char/ rwkl, + deny /dev/cpu/ rwkl, + deny /dev/cpu/[0-9]*/ rwkl, + deny /dev/dma_heap/ rwkl, + deny /dev/dri/ rwkl, + deny /dev/dri/by-path/ rwkl, + deny /dev/hugepages/ rwkl, + deny /dev/input/ rwkl, + deny /dev/input/by-id/ rwkl, + deny /dev/input/by-path/ rwkl, + deny /dev/net/ rwkl, + deny /dev/snd/ rwkl, + deny /dev/snd/by-path/ rwkl, + deny /dev/vfio/ rwkl, include if exists }