diff --git a/apparmor.d/groups/network/xtables-nft-multi b/apparmor.d/groups/network/xtables-nft-multi index 8a3fd424..8e71ec36 100644 --- a/apparmor.d/groups/network/xtables-nft-multi +++ b/apparmor.d/groups/network/xtables-nft-multi @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/xtables-nft-multi +@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) { include include @@ -14,19 +14,19 @@ profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) { capability net_admin, capability net_raw, - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network inet stream, - network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, network netlink raw, @{exec_path} mr, /etc/libnl/classid r, - /etc/iptables/{,**} rw, - /etc/nftables.conf rw, + /etc/iptables/{,**} rw, + /etc/nftables.conf rw, @{PROC}/@{pids}/net/ip_tables_names r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 184ed052..f16fa487 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -24,13 +24,13 @@ profile k3s @{exec_path} flags=(complain) { ptrace peer=@{profile_name}, ptrace (read) peer=unconfined, - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, network netlink raw, - mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, + mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, signal (send, receive) set=term, @@ -56,20 +56,20 @@ profile k3s @{exec_path} flags=(complain) { /{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi, /{usr/,}{s,}bin/xtables-nft-multi rPx, - /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, + @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, - /usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r, + @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r, /usr/share/mime/globs2 r, - /etc/machine-id r, - /etc/rancher/k3s/{,**} r, - /etc/rancher/k3s/k3s.yaml rw, + /etc/machine-id r, + /etc/rancher/k3s/{,**} r, + /etc/rancher/k3s/k3s.yaml rw, /etc/rancher/node/password r, - /var/lib/rancher/k3s/{,**} r, - /var/lib/rancher/k3s/agent/** rw, - /var/lib/rancher/k3s/server/** rw, + /var/lib/rancher/k3s/{,**} r, + /var/lib/rancher/k3s/agent/** rw, + /var/lib/rancher/k3s/server/** rw, /var/lib/rancher/k3s/server/db/** rwk, # k3s want's to basically manage all directories and create some specific files. @@ -85,19 +85,19 @@ profile k3s @{exec_path} flags=(complain) { /var/lib/kubelet/pods/@{uuid}/**/namespace rw, /var/lib/kubelet/pods/@{uuid}/**/token rw, - /var/log/containers/ r, - /var/log/containers/** rw, - /var/log/rancher/{,**} r, - /var/log/kubelet/{,**} r, - /var/log/kubernetes/{,**} r, + /var/log/containers/ r, + /var/log/containers/** rw, + /var/log/rancher/{,**} r, + /var/log/kubelet/{,**} r, + /var/log/kubernetes/{,**} r, /var/log/kubernetes/audit/** rw, - /var/log/pods/{,**} r, - /var/log/pods/{,**/} rw, - /var/log/pods/**/[0-9]*.log rw, + /var/log/pods/{,**} r, + /var/log/pods/{,**/} rw, + /var/log/pods/**/[0-9]*.log rw, - @{HOME}/.kube/cache/discovery/{,**} rw, - @{HOME}/.kube/cache/http/[0-9a-z]* rw, - @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, + owner @{HOME}/.kube/cache/discovery/{,**} rw, + owner @{HOME}/.kube/cache/http/[0-9a-z]* rw, + owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, @{run}/containerd/containerd.sock rw, @{run}/systemd/notify w, @@ -106,36 +106,36 @@ profile k3s @{exec_path} flags=(complain) { @{run}/nodeagent/ rw, @{run}/xtables.lock rwk, - /var/tmp/etilqs_* rw, + owner /var/tmp/etilqs_[0-9a-f]* rw, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/cpuset r, - owner @{PROC}/@{pids}/mounts r, - owner @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/net/dev r, + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/cpuset r, + owner @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/net/ip_tables_names r, - owner @{PROC}/@{pids}/net/ipv6_route r, - owner @{PROC}/@{pids}/net/route r, - owner @{PROC}/@{pids}/oom_score_adj rw, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pids}/net/ipv6_route r, + owner @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pids}/oom_score_adj rw, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/uid_map r, - @{PROC}/diskstats r, - @{PROC}/modules r, - @{PROC}/sys/fs/pipe-max-size r, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv4/conf/all/* rw, + @{PROC}/diskstats r, + @{PROC}/modules r, + @{PROC}/sys/fs/pipe-max-size r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/net/ipv4/conf/all/* rw, @{PROC}/sys/net/ipv4/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, - @{PROC}/sys/net/netfilter/* rw, - @{PROC}/sys/kernel/keys/* r, - @{PROC}/sys/kernel/panic rw, - @{PROC}/sys/kernel/panic_on_oom rw, - @{PROC}/sys/kernel/panic_on_oops rw, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/vm/overcommit_memory rw, - @{PROC}/sys/vm/panic_on_oom r, + @{PROC}/sys/net/netfilter/* rw, + @{PROC}/sys/kernel/keys/* r, + @{PROC}/sys/kernel/panic rw, + @{PROC}/sys/kernel/panic_on_oom rw, + @{PROC}/sys/kernel/panic_on_oops rw, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/vm/overcommit_memory rw, + @{PROC}/sys/vm/panic_on_oom r, @{sys}/class/net/ r, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index 3b7440e9..fb894967 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -11,6 +11,7 @@ include profile pkttyagent @{exec_path} { include include + include capability sys_nice, capability audit_write, @@ -36,9 +37,6 @@ profile pkttyagent @{exec_path} { @{exec_path} mr, - /etc/nsswitch.conf r, - /etc/passwd r, - owner @{PROC}/@{pids}/stat r, /dev/tty rw,