From a1f4dbee50a6ccbd2503615b6d82e3f132c81cc4 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Tue, 19 Jul 2022 21:58:27 +0200 Subject: [PATCH] First batch of cleanups based on PR comments. --- apparmor.d/groups/virt/cni-calico | 5 ++--- apparmor.d/groups/virt/k3s | 8 +++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a79fe660..68467671 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -36,9 +36,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, - @{PROC}/sys/net/ipv4/ip_forward rw, - @{PROC}/sys/net/ipv4/{conf,neigh}/cali[0-9a-z]*/* rw, - @{PROC}/sys/net/ipv6/{conf,neigh}/cali[0-9a-z]*/* rw, + @{PROC}/sys/net/ipv{4,6}/ip_forward rw, + @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 38a8f46f..fa2d75be 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -80,9 +80,7 @@ profile k3s @{exec_path} flags=(complain) { /var/log/pods/{,**/} rw, /var/log/pods/**/[0-9]*.log rw, - owner @{HOME}/.kube/cache/discovery/{,**} rw, - owner @{HOME}/.kube/cache/http/[0-9a-z]* rw, - owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, + owner @{HOME}/.kube/** rw, @{run}/containerd/containerd.sock rw, @{run}/systemd/notify w, @@ -109,8 +107,8 @@ profile k3s @{exec_path} flags=(complain) { @{PROC}/modules r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv4/conf/all/* rw, - @{PROC}/sys/net/ipv4/conf/default/* rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/* rw, + @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, @{PROC}/sys/net/netfilter/* rw, @{PROC}/sys/kernel/keys/* r,