Cleanup profile

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
This commit is contained in:
Jeroen Rijken 2022-07-10 14:53:37 +02:00 committed by Alex
parent 2d7ec5ad2c
commit 6c8e50534b

View File

@ -32,6 +32,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
signal (receive) set=term peer=dockerd, signal (receive) set=term peer=dockerd,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/containerd-shim-runc-v2 rPUx,
/{usr/,}bin/kmod rPx, /{usr/,}bin/kmod rPx,
/{usr/,}bin/unpigz rPUx, /{usr/,}bin/unpigz rPUx,
@ -47,53 +48,50 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
/opt/cni/bin/bandwidth rPx, /opt/cni/bin/bandwidth rPx,
/opt/cni/bin/calico rPx, /opt/cni/bin/calico rPx,
/var/log/pods/**/[0-9]*.log w, /opt/containerd/{,**} rw,
@{run}/calico/ w,
@{run}/netns/ w,
@{run}/netns/cni-@{uuid} rw,
/var/lib/cni/results/cni-loopback-@{uuid}-lo l, /var/lib/cni/results/cni-loopback-@{uuid}-lo l,
@{PROC}/@{pid}/task/@{tid}/ns/net rw,
/var/lib/containerd/{,**} rwk, /var/lib/containerd/{,**} rwk,
/var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/lib{64,}/** l,
/var/lib/docker/containerd/{,**} rwk, /var/lib/docker/containerd/{,**} rwk,
/opt/containerd/{,**} rw, /var/log/pods/**/[0-9]*.log w,
@{run}/systemd/notify w, @{run}/calico/ w,
@{run}/containerd/{,**} rwk, @{run}/containerd/{,**} rwk,
@{run}/docker/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk,
@{run}/netns/ w,
@{run}/netns/cni-@{uuid} rw,
@{run}/systemd/notify w,
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
owner @{PROC}/@{pids}/uid_map r,
owner @{PROC}/@{pids}/mountinfo r,
@{PROC}/sys/net/core/somaxconn r,
# AppArmor within containers
@{sys}/kernel/security/apparmor/profiles r, @{sys}/kernel/security/apparmor/profiles r,
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
/tmp/cri-containerd.apparmor.d[0-9]* rwl,
/{usr/,}{s,}bin/apparmor_parser rPx,
deny /dev/bsg/ r, @{PROC}/@{pid}/task/@{tid}/ns/net rw,
deny /dev/bus/ r, owner @{PROC}/@{pids}/uid_map r,
deny /dev/bus/usb/ r, owner @{PROC}/@{pids}/mountinfo r,
deny /dev/bus/usb/[0-9]*/ r, @{PROC}/sys/net/core/somaxconn r,
deny /dev/char/ r,
deny /dev/cpu/ r, deny /dev/bsg/ rwkl,
deny /dev/cpu/[0-9]*/ r, deny /dev/bus/ rwkl,
deny /dev/dma_heap/ r, deny /dev/bus/usb/ rwkl,
deny /dev/dri/ r, deny /dev/bus/usb/[0-9]*/ rwkl,
deny /dev/dri/by-path/ r, deny /dev/char/ rwkl,
deny /dev/hugepages/ r, deny /dev/cpu/ rwkl,
deny /dev/input/ r, deny /dev/cpu/[0-9]*/ rwkl,
deny /dev/input/by-id/ r, deny /dev/dma_heap/ rwkl,
deny /dev/input/by-path/ r, deny /dev/dri/ rwkl,
deny /dev/net/ r, deny /dev/dri/by-path/ rwkl,
deny /dev/snd/ r, deny /dev/hugepages/ rwkl,
deny /dev/snd/by-path/ r, deny /dev/input/ rwkl,
deny /dev/vfio/ r, deny /dev/input/by-id/ rwkl,
deny /dev/input/by-path/ rwkl,
deny /dev/net/ rwkl,
deny /dev/snd/ rwkl,
deny /dev/snd/by-path/ rwkl,
deny /dev/vfio/ rwkl,
include if exists <local/containerd> include if exists <local/containerd>
} }