From d10f2c073c7d09d9d3ab55ae45b32fe6f16a90bf Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 10 Jul 2022 13:01:31 +0200 Subject: [PATCH] Alphabetical sorting, group common options. --- apparmor.d/groups/virt/containerd | 8 ++++---- apparmor.d/profiles-s-z/zpool | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f73d1b37..9b1c578f 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -12,10 +12,10 @@ profile containerd @{exec_path} { include include + capability chown, capability dac_read_search, capability net_admin, capability sys_admin, - capability chown, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, @@ -24,11 +24,11 @@ profile containerd @{exec_path} { signal (receive) set=term peer=dockerd, - @{exec_path} rm, - /{usr/,}bin/unpigz rPUx, - /{usr/,}{local/,}{s,}bin/zfs rPx, + @{exec_path} mr, /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/unpigz rPUx, + /{usr/,}{local/,}{s,}bin/zfs rPx, /etc/cni/ rw, /etc/cni/{,**} r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index dfa2f83e..ccd94c56 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -10,20 +10,20 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} rm, - /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /etc/hostid r, + @{PROC}/sys/kernel/spl/hostid r, @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab-* rwl, - @{PROC}/sys/kernel/spl/hostid r, @{PROC}/@{pids}/mounts r, - /dev/zfs rw, /dev/pts/[0-9]* rw, + /dev/zfs rw, include if exists }