From c680dfe7db190ac1f3fc099a6ffb63e57892eaa7 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Fri, 19 Aug 2022 10:31:23 +0200 Subject: [PATCH] sort rules --- apparmor.d/groups/virt/k3s | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 38fef08b..a370a512 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -110,16 +110,11 @@ profile k3s @{exec_path} { owner @{PROC}/@{pids}/oom_score_adj rw, owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/uid_map r, - + @{PROC}/diskstats r, @{PROC}/loadavg r, @{PROC}/modules r, @{PROC}/sys/fs/pipe-max-size r, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv{4,6}/conf/all/* rw, - @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, - @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, - @{PROC}/sys/net/netfilter/* rw, @{PROC}/sys/kernel/keys/* r, @{PROC}/sys/kernel/panic rw, @{PROC}/sys/kernel/panic_on_oom rw, @@ -127,11 +122,16 @@ profile k3s @{exec_path} { @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/threads-max r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/net/ipv{4,6}/conf/all/* rw, + @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, + @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, + @{PROC}/sys/net/netfilter/* rw, @{PROC}/sys/vm/overcommit_memory rw, @{PROC}/sys/vm/panic_on_oom r, @{sys}/class/net/ r, - + @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r, @{sys}/devices/system/edac/mc/ r, @{sys}/devices/system/cpu/ r, @@ -139,14 +139,15 @@ profile k3s @{exec_path} { @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, @{sys}/devices/system/cpu/present{,/} r, - - @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r, - @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/ r, @{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r, @{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r, + + @{sys}/devices/virtual/block/*/** r, @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r, + @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, @{sys}/fs/cgroup/{,*,*/} r, @{sys}/fs/cgroup/cgroup.subtree_control rw,