mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move xtables-nft to separate profile

Browse source
This commit is contained in:
Jeroen Rijken 2022-07-21 16:46:34 +02:00 committed by Alex
parent 130c562488
commit b404d7e4c4
3 changed files with 47 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/groups/virt/cni-portmap
View file

@ -10,7 +10,14 @@ include <tunables/global>
profile cni-portmap @{exec_path} { profile cni-portmap @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability net_admin,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
@{PROC}/sys/net/ipv4/conf/cali[0-9a-z]*/route_localnet rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

34
apparmor.d/groups/virt/cni-xtables-nft Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
profile cni-xtables-nft flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability net_admin,
capability net_raw,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/etc/libnl/classid r,
/etc/iptables/{,**} rw,
/etc/nftables.conf rw,
@{PROC}/@{pids}/net/ip_tables_names r,
/dev/pts/[0-9]* rw,
}

33
apparmor.d/groups/virt/k3s
View file

@ -38,11 +38,15 @@ profile k3s @{exec_path} flags=(complain) {
signal (send, receive) set=term, signal (send, receive) set=term,
signal (send) set=kill peer=unconfined, signal (send) set=kill peer=unconfined,
unix (bind,listen) type=stream addr=@xtables,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/kmod rPx, /{usr/,}bin/kmod rPx,
/{usr/,}bin/mount rPx, /{usr/,}bin/mount rPx,
/{usr/,}bin/systemd-run rix, /{usr/,}bin/systemd-run rix,
/{usr/,}{s,}bin/xtables-nft-multi rCx -> xtables-nft-multi, /{usr/,}bin/{nano,emacs,ed} rPUx,
/{usr/,}bin/vim{,.basic} rPUx,
/{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
@{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
@ -78,6 +82,7 @@ profile k3s @{exec_path} flags=(complain) {
@{run}/xtables.lock rwk, @{run}/xtables.lock rwk,
owner /var/tmp/etilqs_[0-9a-f]* rw, owner /var/tmp/etilqs_[0-9a-f]* rw,
owner /tmp/kubectl-edit-[0-9]*.yaml rw,
owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cgroup r,
owner @{PROC}/@{pids}/cpuset r, owner @{PROC}/@{pids}/cpuset r,
@ -150,31 +155,5 @@ profile k3s @{exec_path} flags=(complain) {
/dev/kmsg r, /dev/kmsg r,
/dev/pts/[0-9]* rw, /dev/pts/[0-9]* rw,
profile xtables-nft-multi flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability net_admin,
capability net_raw,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network inet stream,
network inet6 stream,
network netlink raw,
/{usr/,}{s,}bin/xtables-nft-multi mr,
/etc/libnl/classid r,
/etc/iptables/{,**} rw,
/etc/nftables.conf rw,
@{PROC}/@{pids}/net/ip_tables_names r,
/dev/pts/[0-9]* rw,
}
include if exists <local/k3s> include if exists <local/k3s>
} }