Add CNI for containerd

2025-01-30 14:55:15 +01:00 · 2022-07-06 20:49:52 +02:00 · 2022-07-06 20:49:52 +02:00 · 9ea910d1a0
commit 9ea910d1a0
parent 4a37cd1149
3 changed files with 79 additions and 0 deletions
--- a/apparmor.d/groups/virt/calico
+++ b/apparmor.d/groups/virt/calico
@ -0,0 +1,26 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{opt/,}{cni/,}bin/calico
+profile calico @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rix,
+  @{exec_path}-ipam rix,
+  
+  network inet,
+  
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  /var/lib/calico/ r,
+  /var/lib/calico/** r,
+  /etc/cni/net.d/ r,
+  /etc/cni/net.d/** r,
+    
+  /var/log/calico/cni/ r,
+  /var/log/calico/cni/cni.log wr,
+  
+  /run/calico/ipam.lock rwk,
+
+  include if exists <local/calico>
+}
--- a/apparmor.d/groups/virt/cni
+++ b/apparmor.d/groups/virt/cni
@ -0,0 +1,35 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile loopback /{opt/,}{cni/,}bin/loopback {
+  include <abstractions/base>
+
+  /opt/cni/bin/loopback rix,
+  
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/loopback>
+}
+
+profile portmap /{opt/,}{cni/,}bin/portmap {
+  include <abstractions/base>
+
+  /opt/cni/bin/portmap rix,
+  
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/portmap>
+}
+
+profile bandwidth /{opt/,}{cni/,}bin/bandwidth {
+  include <abstractions/base>
+
+  /opt/cni/bin/bandwidth rix,
+  
+  network inet,
+  network netlink raw,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/bandwidth>
+}
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/containerd
 profile containerd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability net_admin,
@ -16,6 +17,10 @@ profile containerd @{exec_path} {

  signal (receive) set=term peer=dockerd,

+  # Pulling container images
+  network inet,
+  network inet6,
+
  @{exec_path} mr,

  /{usr/,}bin/containerd-shim-runc-v2 rPUx,
@ -26,6 +31,19 @@ profile containerd @{exec_path} {
  /etc/cni/net.d/ rw,
  /etc/containerd/*.toml r,

+  /opt/cni/bin/loopback Px,
+  /opt/cni/bin/portmap Px,
+  /opt/cni/bin/bandwidth Px,
+  /opt/cni/bin/calico Px,
+
+  /var/log/pods/**/[0-9]*.log w,
+  @{run}/calico/ w,
+
+  @{run}/netns/ w,
+  @{run}/netns/cni-@{uuid} rw,
+  /var/lib/cni/results/cni-loopback-@{uuid}-lo l,
+  @{PROC}/@{pid}/task/[0-9]*/ns/net rw,
+
  /var/lib/containerd/{,**} rwk,
  /var/lib/docker/containerd/{,**} rwk,
  @{run}/containerd/{,**} rwk,