From b404d7e4c463fa94f5527820d6450586d0369af0 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Thu, 21 Jul 2022 16:46:34 +0200
Subject: [PATCH] Move xtables-nft to separate profile

---
 apparmor.d/groups/virt/cni-portmap     |  7 ++++++
 apparmor.d/groups/virt/cni-xtables-nft | 34 ++++++++++++++++++++++++++
 apparmor.d/groups/virt/k3s             | 33 +++++--------------------
 3 files changed, 47 insertions(+), 27 deletions(-)
 create mode 100644 apparmor.d/groups/virt/cni-xtables-nft

diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap
index 38fec593..0c83c88a 100644
--- a/apparmor.d/groups/virt/cni-portmap
+++ b/apparmor.d/groups/virt/cni-portmap
@@ -10,7 +10,14 @@ include <tunables/global>
 profile cni-portmap @{exec_path} {
   include <abstractions/base>
 
+  capability net_admin,
+
+  network netlink raw,
+
   @{exec_path} mr,
+  /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
+
+  @{PROC}/sys/net/ipv4/conf/cali[0-9a-z]*/route_localnet rw,
   
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft
new file mode 100644
index 00000000..45d2820a
--- /dev/null
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
+profile cni-xtables-nft flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    capability net_admin,
+    capability net_raw,
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet raw,
+    network inet6 raw,
+    network inet stream,
+    network inet6 stream,
+    network netlink raw,
+
+    @{exec_path} mr,
+  
+    /etc/libnl/classid r,
+    /etc/iptables/{,**} rw,
+    /etc/nftables.conf rw,
+
+    @{PROC}/@{pids}/net/ip_tables_names r,
+
+    /dev/pts/[0-9]* rw,
+}
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 293e24d8..423e79d6 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -38,11 +38,15 @@ profile k3s @{exec_path} flags=(complain) {
   signal (send, receive) set=term,
   signal (send) set=kill peer=unconfined,
 
+  unix (bind,listen) type=stream addr=@xtables,
+
   @{exec_path} mr,
   /{usr/,}bin/kmod rPx,
   /{usr/,}bin/mount rPx,
   /{usr/,}bin/systemd-run rix,
-  /{usr/,}{s,}bin/xtables-nft-multi rCx -> xtables-nft-multi,
+  /{usr/,}bin/{nano,emacs,ed} rPUx,
+  /{usr/,}bin/vim{,.basic} rPUx,
+  /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
 
   @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
   /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
@@ -78,6 +82,7 @@ profile k3s @{exec_path} flags=(complain) {
   @{run}/xtables.lock rwk,
 
   owner /var/tmp/etilqs_[0-9a-f]* rw,
+  owner /tmp/kubectl-edit-[0-9]*.yaml rw,
 
   owner @{PROC}/@{pids}/cgroup r,
   owner @{PROC}/@{pids}/cpuset r,
@@ -150,31 +155,5 @@ profile k3s @{exec_path} flags=(complain) {
   /dev/kmsg r,
   /dev/pts/[0-9]* rw,
 
-  profile xtables-nft-multi flags=(complain) {
-    include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    capability net_admin,
-    capability net_raw,
-
-    network inet dgram,
-    network inet6 dgram,
-    network inet raw,
-    network inet6 raw,
-    network inet stream,
-    network inet6 stream,
-    network netlink raw,
-
-    /{usr/,}{s,}bin/xtables-nft-multi mr,
-  
-    /etc/libnl/classid r,
-    /etc/iptables/{,**} rw,
-    /etc/nftables.conf rw,
-
-    @{PROC}/@{pids}/net/ip_tables_names r,
-
-    /dev/pts/[0-9]* rw,
-}
-
   include if exists <local/k3s>
 }