mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Apply suggested fixes from PR

Browse Source
This commit is contained in:
Jeroen Rijken 2022-07-18 20:23:05 +02:00 committed by Alex
parent 5af6cda328
commit 78cfb23bff
3 changed files with 59 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
apparmor.d/groups/network/xtables-nft-multi
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}sbin/xtables-nft-multi @{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) { profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -14,19 +14,19 @@ profile xtables-nft-multi @{exec_path} flags=(attach_disconnected,complain) {
capability net_admin, capability net_admin,
capability net_raw, capability net_raw,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet raw, network inet raw,
network inet6 raw, network inet6 raw,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/etc/libnl/classid r, /etc/libnl/classid r,
/etc/iptables/{,**} rw, /etc/iptables/{,**} rw,
/etc/nftables.conf rw, /etc/nftables.conf rw,
@{PROC}/@{pids}/net/ip_tables_names r, @{PROC}/@{pids}/net/ip_tables_names r,

98
apparmor.d/groups/virt/k3s
View File

@ -24,13 +24,13 @@ profile k3s @{exec_path} flags=(complain) {
ptrace peer=@{profile_name}, ptrace peer=@{profile_name},
ptrace (read) peer=unconfined, ptrace (read) peer=unconfined,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
signal (send, receive) set=term, signal (send, receive) set=term,
@ -56,20 +56,20 @@ profile k3s @{exec_path} flags=(complain) {
/{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi, /{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi,
/{usr/,}{s,}bin/xtables-nft-multi rPx, /{usr/,}{s,}bin/xtables-nft-multi rPx,
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r, @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
/usr/share/mime/globs2 r, /usr/share/mime/globs2 r,
/etc/machine-id r, /etc/machine-id r,
/etc/rancher/k3s/{,**} r, /etc/rancher/k3s/{,**} r,
/etc/rancher/k3s/k3s.yaml rw, /etc/rancher/k3s/k3s.yaml rw,
/etc/rancher/node/password r, /etc/rancher/node/password r,
/var/lib/rancher/k3s/{,**} r, /var/lib/rancher/k3s/{,**} r,
/var/lib/rancher/k3s/agent/** rw, /var/lib/rancher/k3s/agent/** rw,
/var/lib/rancher/k3s/server/** rw, /var/lib/rancher/k3s/server/** rw,
/var/lib/rancher/k3s/server/db/** rwk, /var/lib/rancher/k3s/server/db/** rwk,
# k3s want's to basically manage all directories and create some specific files. # k3s want's to basically manage all directories and create some specific files.
@ -85,19 +85,19 @@ profile k3s @{exec_path} flags=(complain) {
/var/lib/kubelet/pods/@{uuid}/**/namespace rw, /var/lib/kubelet/pods/@{uuid}/**/namespace rw,
/var/lib/kubelet/pods/@{uuid}/**/token rw, /var/lib/kubelet/pods/@{uuid}/**/token rw,
/var/log/containers/ r, /var/log/containers/ r,
/var/log/containers/** rw, /var/log/containers/** rw,
/var/log/rancher/{,**} r, /var/log/rancher/{,**} r,
/var/log/kubelet/{,**} r, /var/log/kubelet/{,**} r,
/var/log/kubernetes/{,**} r, /var/log/kubernetes/{,**} r,
/var/log/kubernetes/audit/** rw, /var/log/kubernetes/audit/** rw,
/var/log/pods/{,**} r, /var/log/pods/{,**} r,
/var/log/pods/{,**/} rw, /var/log/pods/{,**/} rw,
/var/log/pods/**/[0-9]*.log rw, /var/log/pods/**/[0-9]*.log rw,
@{HOME}/.kube/cache/discovery/{,**} rw, owner @{HOME}/.kube/cache/discovery/{,**} rw,
@{HOME}/.kube/cache/http/[0-9a-z]* rw, owner @{HOME}/.kube/cache/http/[0-9a-z]* rw,
@{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw,
@{run}/containerd/containerd.sock rw, @{run}/containerd/containerd.sock rw,
@{run}/systemd/notify w, @{run}/systemd/notify w,
@ -106,36 +106,36 @@ profile k3s @{exec_path} flags=(complain) {
@{run}/nodeagent/ rw, @{run}/nodeagent/ rw,
@{run}/xtables.lock rwk, @{run}/xtables.lock rwk,
/var/tmp/etilqs_* rw, owner /var/tmp/etilqs_[0-9a-f]* rw,
owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cgroup r,
owner @{PROC}/@{pids}/cpuset r, owner @{PROC}/@{pids}/cpuset r,
owner @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/mounts r,
owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/net/ip_tables_names r, @{PROC}/@{pids}/net/ip_tables_names r,
owner @{PROC}/@{pids}/net/ipv6_route r, owner @{PROC}/@{pids}/net/ipv6_route r,
owner @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pids}/net/route r,
owner @{PROC}/@{pids}/oom_score_adj rw, owner @{PROC}/@{pids}/oom_score_adj rw,
owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/uid_map r, owner @{PROC}/@{pids}/uid_map r,
@{PROC}/diskstats r, @{PROC}/diskstats r,
@{PROC}/modules r, @{PROC}/modules r,
@{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/fs/pipe-max-size r,
@{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv4/conf/all/* rw, @{PROC}/sys/net/ipv4/conf/all/* rw,
@{PROC}/sys/net/ipv4/conf/default/* rw, @{PROC}/sys/net/ipv4/conf/default/* rw,
@{PROC}/sys/net/bridge/bridge-nf-call-iptables r, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
@{PROC}/sys/net/netfilter/* rw, @{PROC}/sys/net/netfilter/* rw,
@{PROC}/sys/kernel/keys/* r, @{PROC}/sys/kernel/keys/* r,
@{PROC}/sys/kernel/panic rw, @{PROC}/sys/kernel/panic rw,
@{PROC}/sys/kernel/panic_on_oom rw, @{PROC}/sys/kernel/panic_on_oom rw,
@{PROC}/sys/kernel/panic_on_oops rw, @{PROC}/sys/kernel/panic_on_oops rw,
@{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/vm/overcommit_memory rw, @{PROC}/sys/vm/overcommit_memory rw,
@{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/panic_on_oom r,
@{sys}/class/net/ r, @{sys}/class/net/ r,

4
apparmor.d/profiles-m-r/pkttyagent
View File

@ -11,6 +11,7 @@ include <tunables/global>
profile pkttyagent @{exec_path} { profile pkttyagent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability sys_nice, capability sys_nice,
capability audit_write, capability audit_write,
@ -36,9 +37,6 @@ profile pkttyagent @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/nsswitch.conf r,
/etc/passwd r,
owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/stat r,
/dev/tty rw, /dev/tty rw,