mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
Apply suggested fixes from PR
This commit is contained in:
Jeroen Rijken
Alex
parent
5af6cda328
commit
78cfb23bff
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}sbin/xtables-nft-multi
|
||||
@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
|
||||
profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
@ -14,19 +14,19 @@ profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) {
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet raw,
|
||||
network inet6 raw,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet raw,
|
||||
network inet6 raw,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/libnl/classid r,
|
||||
/etc/iptables/{,**} rw,
|
||||
/etc/nftables.conf rw,
|
||||
/etc/iptables/{,**} rw,
|
||||
/etc/nftables.conf rw,
|
||||
|
||||
@{PROC}/@{pids}/net/ip_tables_names r,
|
||||
|
||||
|
||||
@ -24,13 +24,13 @@ profile k3s @{exec_path} flags=(complain) {
|
||||
ptrace peer=@{profile_name},
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
|
||||
mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
|
||||
umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
|
||||
|
||||
signal (send, receive) set=term,
|
||||
@ -56,20 +56,20 @@ profile k3s @{exec_path} flags=(complain) {
|
||||
/{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi,
|
||||
/{usr/,}{s,}bin/xtables-nft-multi rPx,
|
||||
|
||||
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
|
||||
@{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
|
||||
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
|
||||
|
||||
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r,
|
||||
@{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
|
||||
/usr/share/mime/globs2 r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/rancher/k3s/{,**} r,
|
||||
/etc/rancher/k3s/k3s.yaml rw,
|
||||
/etc/machine-id r,
|
||||
/etc/rancher/k3s/{,**} r,
|
||||
/etc/rancher/k3s/k3s.yaml rw,
|
||||
/etc/rancher/node/password r,
|
||||
|
||||
/var/lib/rancher/k3s/{,**} r,
|
||||
/var/lib/rancher/k3s/agent/** rw,
|
||||
/var/lib/rancher/k3s/server/** rw,
|
||||
/var/lib/rancher/k3s/{,**} r,
|
||||
/var/lib/rancher/k3s/agent/** rw,
|
||||
/var/lib/rancher/k3s/server/** rw,
|
||||
/var/lib/rancher/k3s/server/db/** rwk,
|
||||
|
||||
# k3s want's to basically manage all directories and create some specific files.
|
||||
@ -85,19 +85,19 @@ profile k3s @{exec_path} flags=(complain) {
|
||||
/var/lib/kubelet/pods/@{uuid}/**/namespace rw,
|
||||
/var/lib/kubelet/pods/@{uuid}/**/token rw,
|
||||
|
||||
/var/log/containers/ r,
|
||||
/var/log/containers/** rw,
|
||||
/var/log/rancher/{,**} r,
|
||||
/var/log/kubelet/{,**} r,
|
||||
/var/log/kubernetes/{,**} r,
|
||||
/var/log/containers/ r,
|
||||
/var/log/containers/** rw,
|
||||
/var/log/rancher/{,**} r,
|
||||
/var/log/kubelet/{,**} r,
|
||||
/var/log/kubernetes/{,**} r,
|
||||
/var/log/kubernetes/audit/** rw,
|
||||
/var/log/pods/{,**} r,
|
||||
/var/log/pods/{,**/} rw,
|
||||
/var/log/pods/**/[0-9]*.log rw,
|
||||
/var/log/pods/{,**} r,
|
||||
/var/log/pods/{,**/} rw,
|
||||
/var/log/pods/**/[0-9]*.log rw,
|
||||
|
||||
@{HOME}/.kube/cache/discovery/{,**} rw,
|
||||
@{HOME}/.kube/cache/http/[0-9a-z]* rw,
|
||||
@{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw,
|
||||
owner @{HOME}/.kube/cache/discovery/{,**} rw,
|
||||
owner @{HOME}/.kube/cache/http/[0-9a-z]* rw,
|
||||
owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw,
|
||||
|
||||
@{run}/containerd/containerd.sock rw,
|
||||
@{run}/systemd/notify w,
|
||||
@ -106,36 +106,36 @@ profile k3s @{exec_path} flags=(complain) {
|
||||
@{run}/nodeagent/ rw,
|
||||
@{run}/xtables.lock rwk,
|
||||
|
||||
/var/tmp/etilqs_* rw,
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
owner @{PROC}/@{pids}/cpuset r,
|
||||
owner @{PROC}/@{pids}/mounts r,
|
||||
owner @{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/net/dev r,
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
owner @{PROC}/@{pids}/cpuset r,
|
||||
owner @{PROC}/@{pids}/mounts r,
|
||||
owner @{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/net/dev r,
|
||||
@{PROC}/@{pids}/net/ip_tables_names r,
|
||||
owner @{PROC}/@{pids}/net/ipv6_route r,
|
||||
owner @{PROC}/@{pids}/net/route r,
|
||||
owner @{PROC}/@{pids}/oom_score_adj rw,
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/uid_map r,
|
||||
owner @{PROC}/@{pids}/net/ipv6_route r,
|
||||
owner @{PROC}/@{pids}/net/route r,
|
||||
owner @{PROC}/@{pids}/oom_score_adj rw,
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/uid_map r,
|
||||
|
||||
@{PROC}/diskstats r,
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/sys/net/ipv4/conf/all/* rw,
|
||||
@{PROC}/diskstats r,
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/sys/net/ipv4/conf/all/* rw,
|
||||
@{PROC}/sys/net/ipv4/conf/default/* rw,
|
||||
@{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
|
||||
@{PROC}/sys/net/netfilter/* rw,
|
||||
@{PROC}/sys/kernel/keys/* r,
|
||||
@{PROC}/sys/kernel/panic rw,
|
||||
@{PROC}/sys/kernel/panic_on_oom rw,
|
||||
@{PROC}/sys/kernel/panic_on_oops rw,
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/vm/overcommit_memory rw,
|
||||
@{PROC}/sys/vm/panic_on_oom r,
|
||||
@{PROC}/sys/net/netfilter/* rw,
|
||||
@{PROC}/sys/kernel/keys/* r,
|
||||
@{PROC}/sys/kernel/panic rw,
|
||||
@{PROC}/sys/kernel/panic_on_oom rw,
|
||||
@{PROC}/sys/kernel/panic_on_oops rw,
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/vm/overcommit_memory rw,
|
||||
@{PROC}/sys/vm/panic_on_oom r,
|
||||
|
||||
@{sys}/class/net/ r,
|
||||
|
||||
|
||||
@ -11,6 +11,7 @@ include <tunables/global>
|
||||
profile pkttyagent @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability sys_nice,
|
||||
capability audit_write,
|
||||
@ -36,9 +37,6 @@ profile pkttyagent @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/nsswitch.conf r,
|
||||
/etc/passwd r,
|
||||
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user