mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Alphabetical sorting, group common options.

Browse Source
This commit is contained in:
Jeroen Rijken 2022-07-10 13:01:31 +02:00 committed by Alex
parent 59f8b893ff
commit d10f2c073c
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apparmor.d/groups/virt/containerd
View File

@ -12,10 +12,10 @@ profile containerd @{exec_path} {
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/devices-usb> include <abstractions/devices-usb>
capability chown,
capability dac_read_search, capability dac_read_search,
capability net_admin, capability net_admin,
capability sys_admin, capability sys_admin,
capability chown,
mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
@ -24,11 +24,11 @@ profile containerd @{exec_path} {
signal (receive) set=term peer=dockerd, signal (receive) set=term peer=dockerd,
@{exec_path} rm, @{exec_path} mr,
/{usr/,}bin/unpigz rPUx,
/{usr/,}{local/,}{s,}bin/zfs rPx,
/{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/containerd-shim-runc-v2 rPUx,
/{usr/,}bin/kmod rPx, /{usr/,}bin/kmod rPx,
/{usr/,}bin/unpigz rPUx,
/{usr/,}{local/,}{s,}bin/zfs rPx,
/etc/cni/ rw, /etc/cni/ rw,
/etc/cni/{,**} r, /etc/cni/{,**} r,

6
apparmor.d/profiles-s-z/zpool
View File

@ -10,20 +10,20 @@ profile zpool @{exec_path} flags=(complain) {
capability sys_admin, capability sys_admin,
@{exec_path} rm, @{exec_path} rm,
/{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
/etc/hostid r, /etc/hostid r,
@{PROC}/sys/kernel/spl/hostid r,
@{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab rw,
@{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab.old l,
@{run}/blkid/blkid.tab-* rwl, @{run}/blkid/blkid.tab-* rwl,
@{PROC}/sys/kernel/spl/hostid r,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
/dev/zfs rw,
/dev/pts/[0-9]* rw, /dev/pts/[0-9]* rw,
/dev/zfs rw,
include if exists <local/zfs> include if exists <local/zfs>
} }