mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Apply suggested fixes from PR

Browse Source
This commit is contained in:
Jeroen Rijken 2022-07-18 20:23:05 +02:00 committed by Alex
parent 5af6cda328
commit 78cfb23bff
3 changed files with 59 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/groups/network/xtables-nft-multi
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/xtables-nft-multi @{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) { profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

12
apparmor.d/groups/virt/k3s
View File

@ -56,10 +56,10 @@ profile k3s @{exec_path} flags=(complain) {
/{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi, /{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi,
/{usr/,}{s,}bin/xtables-nft-multi rPx, /{usr/,}{s,}bin/xtables-nft-multi rPx,
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r, @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
/usr/share/mime/globs2 r, /usr/share/mime/globs2 r,
/etc/machine-id r, /etc/machine-id r,
@ -95,9 +95,9 @@ profile k3s @{exec_path} flags=(complain) {
/var/log/pods/{,**/} rw, /var/log/pods/{,**/} rw,
/var/log/pods/**/[0-9]*.log rw, /var/log/pods/**/[0-9]*.log rw,
@{HOME}/.kube/cache/discovery/{,**} rw, owner @{HOME}/.kube/cache/discovery/{,**} rw,
@{HOME}/.kube/cache/http/[0-9a-z]* rw, owner @{HOME}/.kube/cache/http/[0-9a-z]* rw,
@{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw,
@{run}/containerd/containerd.sock rw, @{run}/containerd/containerd.sock rw,
@{run}/systemd/notify w, @{run}/systemd/notify w,
@ -106,7 +106,7 @@ profile k3s @{exec_path} flags=(complain) {
@{run}/nodeagent/ rw, @{run}/nodeagent/ rw,
@{run}/xtables.lock rwk, @{run}/xtables.lock rwk,
/var/tmp/etilqs_* rw, owner /var/tmp/etilqs_[0-9a-f]* rw,
owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cgroup r,
owner @{PROC}/@{pids}/cpuset r, owner @{PROC}/@{pids}/cpuset r,

4
apparmor.d/profiles-m-r/pkttyagent
View File

@ -11,6 +11,7 @@ include <tunables/global>
profile pkttyagent @{exec_path} { profile pkttyagent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability sys_nice, capability sys_nice,
capability audit_write, capability audit_write,
@ -36,9 +37,6 @@ profile pkttyagent @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/nsswitch.conf r,
/etc/passwd r,
owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/stat r,
/dev/tty rw, /dev/tty rw,